The U.S. healthcare system – one of the most developed in the world – still regularly suffers information leaks despite the efforts of the government and professional community. Over the last three years alone, the amount of fines for information security violations here approached $50 million. According to InfoWatch Analytical Center, the U.S. accounted for over 70% of all medical data leaks worldwide in 2017.
This is a digest of five largest fines for confidential information leaks from U.S. healthcare institutions.
In 1996, the U.S. Government adopted the Health Insurance Portability and Accountability Act (HIPAA), a federal act that governs confidential medical information treatment. Since September 2013, it has covered not only medical institutions, but also their partners, and imposed more severe punishment.
In February 2011, Maryland-based Cignet Health was slapped with a $4.3 million fine. The company had to pay $1.3 million for its refusal to provide 41 patients with copies of their health records between September 2008 and October 2009, and then another $3 million for willfully failing to cooperate with the federal government’s investigation.
As part of the most recent case, in June 2018, a federal judge imposed a $4.3 million fine against the University of Texas MD Anderson Cancer Center for HIPAA violations stemming from three data breach incidents in 2012 and 2013 when an employee’s laptop was stolen and two unencrypted thumb drives went missing, which led to the possible compromise of health records. The federal Office of Civil Rights (OCR) found that those leaks resulted from the Center’s failure to comply with encryption requirements.
In 2014, NewYork-Presbyterian Hospital and Columbia University agreed to collectively pay $4.8 million to settle charges that they disclosed electronic protected health information (ePHI) of 6,800 individuals due to a failure to conduct thorough risk analysis or implement appropriate policies and procedures to protect their information systems. The revealed data included patient statuses, vital signs, medications, and laboratory results, and was accessible to the public using Internet search engines.
In February 2017, the Department of Health and Human Services’ OCR announced that a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems (MHS) to resolve potential Privacy Rule and Security Rule violations. The investigation revealed that employees of MHS affiliated physician offices had inappropriately accessed the ePHI of over 115,000 patients, including names, birth dates, and social security numbers. The investigation also determined that login credentials of a former MHS employee had been used to access the ePHI of some 80,000 individuals on a daily basis in the period from 2011 to 2012.
In August 2016, Advocate Health Care Network, the largest integrated healthcare system in Illinois, agreed to pay $5.55 million in a settlement with OCR, the largest HIPAA enforcement action yet against a single entity. In 2013, Advocate Health reported three breaches resulting from the theft of four desktop computers containing the ePHI of approximately 4 million patients. OCR found that Advocate Health failed to fully assess the potential risks and vulnerabilities or apply proper information access controls.
