HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

The Virginia prescription record security breach: The big picture, and using this case as a learning experience

May 6, 2009

The Virginia Department of Health Professions is having a bad week. Apparently, a hacker downloaded personal health information of eight million individuals, including 35 million prescription records, and then replaced the information on the state website with a crude "ransom" note demanding $10 million in exchange for unlocking the encrypted file containing what is supposedly the only copy of the patient information seized.  (Screenshot of hacked website with notice posted here; see Bob Coffield's post on the story for a good roundup of the facts and review of some HIPAA/ARRA/HITECH implications.)  This has gotten the attention of the digerati and the blogerati, and even of some folks beyond the echo chamber of the blogosphere and twitterverse, out in the real world (like Virginia officialdom, which has gotten communications on this incident off to a slow start).

Update 6/5/09: Virginia security breach notices are going out — a month after the fact — to over 500,000 individuals whose social security numbers were part of their prescription records.  Too little, too late? 

So, this episode raises a few questions for me of broader application:

  1. What is the scope of personal data insecurity in this country?
  2. What preventive maintenance and design steps must or should be taken by all holders of personal data in order to minimize the likelihood of a breach?
  3. In the event of a security breach, what communication is required by law, and what should "best practices" communications strategy look like, beyond what is required by the letter of the law?

Let's hack away (unconscious choice of words while typing) at these questions one at a time.

Scope of the Problem The scope of the issue is, not to put too fine a point on it, real broad, and getting broader daily. The issue is relevant to financial and other data, but for purposes of this post, I'll confine my observations to personal health data ("protected health information," "PHI" or "individually identifiable health information" in HIPAA-speak). In the bad old days (which are perhaps coming to a close one of these years thanks to the $19 billion HITECH Act handout), PHI insecurity was limited to the problem of folks who might wander into a file room and get a hold of your medical records without having a good reason to do so. Thanks to the computerization of medical records in a desktop computer, laptop, server, storage device, or "in the cloud" (now that's a whole other can of worms), millions of records are out there for the hacking. Given the lackadaisical attitude that some have towards data security, these records are accessible to bad-intentioned identity thieves as well as to recreational hackers. The scope of the issue may be glimpsed through a visit to the Privacy Rights Clearinghouse site, A Chronology of Data Breaches, a wonderful compendium of data security breach incidents (beginning January 2005) and related resources (not yet updated as of this writing to include a reference to the Virginia debacle). This chronology is not limited to health care data breaches; a quick scan seems to confirm that the Virginia incident is among the largest health care data breaches, but it is not the first breach of a state agency system.  (And remember the Express Scripts ransom hacker case a little while back?)

Prevention
  Data security and privacy protections applicable to PHI have been ratcheted up a couple notches this year with the Son of HIPAA provisions thrown into ARRA, the FTC Red Flags Rule and some parallel state rulemaking activity (see, e.g., Massachusetts data security rule). With all these recent changes, new comprehensive preemption analyses will have to be undertaken, but I'll offer a couple of observations: It is imperative that all health care providers and business associates undertake privacy and security audits of their current operations. This includes a review of policies and procedures (and the adoption of policies and procedures later this year by business associates, which were not required to have them in place pre-ARRA), to ensure compliance with HIPAA, Son of HIPAA, FTC Red Flags Rule (if applicable; it relates to businesses that extend credit, defined very broadly, and snaps into effect August 1, after a couple of delays), and state privacy laws. All policies and procedures need to be beefed up as appropriate. Hardware, software and wetware must be tested for compliance and must also be beefed up as needed. In my community, when faced with a computer problem, we always say: "Ask a teenager!" In addition to the usual trusted advisors, it migh

t not hurt to spot-check security systems by challenging a reliable computer-savvy teenager (or twentysomething) to hack into a system.

Breach Notification  ARRA Sec. 13402 (p. 146) technically doesn't require a breach notification to be sent to affected folks in the Virginia matter because the regs aren't out yet (they're due out by August, effective 30 days later).  Guidance on what makes data unreadable by unauthorized folks has been released for public comment — if Virginia made the data secure according to the definitions in this guidance, then its release would not be considered a breach, and would not trigger notification requirements.  These guidelines are something to consider in designing secure environments for data — they address both data in use and data at rest, and incorporate by reference some NIST standards.  Adhering to the guidance not only has the PR benefit of allowing an entity to avoid having to make a breach notification, it could even help in preventing breaches in the first place.  It would be interesting to learn whether the Virginia data was protected in the manner called for in this guidance.

Whether or not a notice is required, careful consideration should be given to developing a communications plan for alerting patients to any breach, and to explaining what is being done to minimize the risk of similar (or dissimilar) breaches occurring in the future.  This may be a delicate dance (the folks in Virginia have been saying they can't comment becasue an FBI investigation is underway), but it seems to me that a criminal investigation does not need to bar any and all communications with patients and the public at large about the situation.

As the remaining ARRA rules come out and covered entities and others have a clearer roadmap before them, it will be imperative that they undertake the steps outlined above so that they can maintain compliance with these new requirements, ensure privacy and security of PHI, and stay out of the regulators' sights.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: EHR, Health care policy, Health Law, HIPAA, HIT, Privacy

you might also like:

  1. HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

  2. Data Breach Analysis 2009-2012 – HITECH Experience Reviewed by HITRUST

  3. Son of HIPAA Breach Notification Rules

« Blawg Review is up at China Law Blog; Next week's First 100 Days edition will be here at HealthBlawg
Blawg Review #211 »

Comments

  1. Tom says

    May 8, 2009 at 7:57 pm

    David,
    Nice post, I like the detail and that you brought up regular security audits. I commented on your questions on our post about the Virginia breach.

    http://www.gotanga.com/blog/index.php/2009/05/08/personal-data-stolen-state-health-agency/

    Best,
    Tom

Follow me on Twitter

David Harlow 💉😷 Follow 43,243 17,535

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
2h 1641080431243042816

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @joyclee @ClimaxBetty @_timos_ #digitalhealth #healthtech

Image for twitter card

What satisfied EHR users do differently

healthcareitnews.com A new Arch Collaborative user's guide dives into what 3,000 highly satisfied electronic health reco...

paper.li

Reply on Twitter 1641080431243042816 Retweet on Twitter 1641080431243042816 0 Like on Twitter 1641080431243042816 0 Twitter 1641080431243042816
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
6h 1641015055335432193

ICYMI> Paul Schrimpf, at Prophet Consulting, Driving Health Care Transformation — Harlow on Healthcare https://healthblawg.com/2022/12/paul-schrimpf-prophet-consulting.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Paul Schrimpf, at Twitter feed image.
Reply on Twitter 1641015055335432193 Retweet on Twitter 1641015055335432193 1 Like on Twitter 1641015055335432193 0 Twitter 1641015055335432193
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
13h 1640909216356487173

ICYMI> Frank McGillin, CEO, The Clinic by Cleveland Clinic — Harlow on Healthcare #digitalhealth #hcldr #hitsm

Image for twitter card

Frank McGillin, CEO, The Clinic by Cleveland Clinic

Harlow on Healthcare: Conversations with Healthcare Innovation Leaders

healthblawg.com

Reply on Twitter 1640909216356487173 Retweet on Twitter 1640909216356487173 0 Like on Twitter 1640909216356487173 0 Twitter 1640909216356487173
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]