There are a number of events that recently occurred which, taken together, should make any individual or any company that is subject to an “associate agreement” or any “covered entity” possessing PHI, (as well as their respective attorneys) take pause.

1. Anchorage Community Mental Health Services (ACMHS) notified OCR regarding the breach of unsecured PHI relating to malware that compromised the security of its IT systems. The breach affected 2,743 individuals. Apparently, there was a finding that ACMHS had adopted security rules, policies and procedures in 2005, but based on its Resolution Agreement with the government, it was found that ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities as to the confidentiality, integrity and availability of its E-PHI. Aside from the various undertakings in the Resolution Agreement, ACMHS is subject to a $150K fine.

2. Sony Pictures Entertainment (SPE), the victim of a cyber-attack, has realized that based on the more than 200 GB of data that has already been released by the hackers, there have been more than 30,000 HR records compromised. Accordingly, Sony has released a notification letter that is extremely broad. The following language was included: “Although [SPE] is in the process of investigating the scope of the cyber-attack, SPE believes that the following types of personal identifiable information that you provided to SPE may have been obtained by unauthorized individuals: (i) name, (ii) address, (iii) Social Security number, driver’s license number, passport number and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information. In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, Social Security number, claims, appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPE health plans.”

HIPAA- HITECH breaches have now moved from allowing employees to improperly access and disseminate PHI, or the loss or theft of a laptop left in a car, to the vulnerabilities that “rich targets” for hackers such as major corporations present. I think it is fair to assume that the hackers’ primary target was not health records.

3. To further supplement the problem, on November 11, 2013, the Connecticut Supreme Court ruled in Byrne v. Avery Center for Obstetrics and Gynecology, P.C. that HIPAA does not necessarily preclude a private action (brought by the victim or victims) for negligence on the part of the covered entity, and that the HIPAA regulations may (at least theoretically) be used in determining the applicable standard of care. Simply stated, the idea of a class action for a single violation of HIPPA, e.g. the loss or theft of a hard drive or thumb drive, or the mass dissemination of one person’s personal information over the internet after that person’s PHI was the subject of a single breach of HIPAA could subject the health provider or their associates to damages that are well beyond anything ever contemplated by HIPAA. In the case of the former, a class action by many thousands of individuals is a real possibility. In the latter case, imagine if the medical records of a single high profile person, e.g. famous executive or actor/actress, was obtained in violation of HIPAA, and then was disseminated on the internet. In either case, the legal fees and damages (as well as the settlement value) could be staggering.

What these three seemingly unassociated issues seem to point towards is that taken together, covered entities and their associates may become responsible for failure to adequately protect their PHI in the event that malware enters their system, or their systems are hacked, at a time when even major corporations that have and use significant resources to protect their data, can be hacked. In addition, the release of HR data which could easily implicate HIPAA could render these entities not only prime targets for hackers, but major marks for class-action or high value negligence lawsuits.

It seems clear to me that the level of vulnerability, responsibility and accountability has recently risen to a higher degree of significance.


    1. Peter Boland, PhD

      My view is that potential security breaches is the sleeper issue facing C-suites in 2015, and healthcare systems are a prime target given the sensitivity of medical records. The treat extends far beyond HIPPA implications and points to the central tenet of medical care “to do no harm.” Boards of Directors have a fiduciary responsibility to their institutions and this includes taking adequate protections to combat security and privacy breaches, which are now part of the “new normal” of managing healthcare transactions — and related data — on behalf of patients, employers and payers.

      Peter Boland, PhD
      Boland Healthcare
      Berkeley, California

  1. Jessica Parker

    Thank you for uploading this informative article. Security issues related to PHI have always posed challenges for doctors. At times PHI security goes unnoticed because doctors are busy juggling between patient care and revenue challenges. I feel it should be one of the top priorities for all healthcare organizations because even if they manage to get paid for all rendered services, one HIPAA breach can land them in legal hassles and all the hard earned money will go into paying penalties


Leave a Reply

Your email address will not be published. Required fields are marked *