Aventura Hospital and Medical Center has found that the HIPAA infringements it suffered throughout the past 2 years were merely the tip of the iceberg. It has now declared a 3rd security break which has affected as many as 82,601 people. The healthcare provider has just recently found the break, although it began only one day after the previous one was rectified.
The data of 948 patients was revealed between October 1, 2012 and December 31, 2012, with a 2nd HIPAA break happening between January 1, 2012 and September 12, 2012, impacting 2,560 patients. The 3rd break began the next day, September 13, 2012, with access to the files lasting until June 9, 2014.
The most recent HIPAA break was caused by one of its business partners, Valesco Ventures. The firm was warned about a worker who might have unacceptably accessed patient files in May, even though it wasn’t until early June when it was established that the worker in question unacceptably accessed patient names, Social Security numbers and dates of birth of as many as 82,601 people, as per a report on Local10.com
Terry Meadows, M.D, the manager of Valesco, verified that no fiscal info or medicinal data was revealed during the break and “Aventura Hospital and Valesco Ventures are helping law enforcement to find as well as impeach all responsible partakers.”
Theft of data and employee snooping for personal benefit can be tough to find and avoid, even though healthcare providers are able to apply several procedures and policies to decrease the opportunity for workers to thieve or unacceptably access data. They must also have the systems set up to quickly identify persons who do so.
Ever since the Omnibus Rule came into effect, BAs can be held responsible for any data breaks which have resulted from HIPAA infringements they have triggered, like not having the proper administrative, technical, and physical safeguards in place to protect HIPAA-covered data. The entity hiring a BA is also not exempted from fiscal fines, should it is found that it also has breached HIPAA rules and has contributed to the reason of the break.
The Office for Civil Rights has been monitoring HIPAA more carefully in current years and it has already declared several major penalties for HIPAA breaches that led to personal identifiers, healthcare data, and Social Security numbers of patients being revealed. The OCR has the authority to issue penalties of up to 1.5 million per breach type, per year. In this incident that might possibly see a penalty of up to 3 million issued.
While such a big scale data revelation is highly disturbing, so also is the time required for Aventura and Valesco Ventures to halt the breach and inform the victims. The company first became conscious of a possible HIPAA break on May 28, 2014, when it was warned to the fact that a worker “might have unacceptably accessed the private identifying info of many patients of Aventura Hospital”.
It wasn’t until 3 months later – Sept 9, 2014 – that the firm issued break notices to the affected patients. According to HIPAA Breach Notification Laws, covered entities have up to 60 days to inform HIPAA breaks to the OCR and inform the people who have been affected.
PHIprivacy.net reported on a legal notices statement it found, which had been issued to different media sources concerning the break.