Five hospitals are feeling the pain after the California Department of Public Health (CDPH) levied fines against them. While I doubt that these could have been prevented by the use of data protection tools like full disk encryption from AlertBoot, it shows the potential pitfalls on being caught without them.
A total of $675,000 in fines was handed out to five hospitals. A total of 245 patients were affected and a total of 32 employees were involved. That works out to either $2110 per employee or $2760 per patient. The devil is in the details, they say. Which is why one needs to take a good luck at the individual cases: The five hospitals that were fined: Community Hospital of San Bernardino Enloe Medical Center Rideout Memorial Hospital Ronald Reagan UCLA Medical Center San Joaquin Community Hospital In the below table, you'll notice that San Bernardino was fined twice. All penalties were handed out because the confidentiality of patient medical records was not protected adequately, as listed out in Section 1280.15 of the California Health and Safety Code. I've also broken down the dollar amount per patients affected or per employees involved. According to turnto23.com, the website for the local ABC affiliate, and CDPH's teleconference, penalties of $25,000 can be handed out for one patient's medical information, and up to $17,500 for each subsequent breach for the same patient. There is a cap of $250,000 total. There is also a $100 per day fine for failure to report breaches.. You can listen to the CDPH's media teleconference on the penalties here.
A total of $675,000 in fines was handed out to five hospitals. A total of 245 patients were affected and a total of 32 employees were involved. That works out to either $2110 per employee or $2760 per patient. The devil is in the details, they say. Which is why one needs to take a good luck at the individual cases:
The five hospitals that were fined:
In the below table, you'll notice that San Bernardino was fined twice. All penalties were handed out because the confidentiality of patient medical records was not protected adequately, as listed out in Section 1280.15 of the California Health and Safety Code. I've also broken down the dollar amount per patients affected or per employees involved.
According to turnto23.com, the website for the local ABC affiliate, and CDPH's teleconference, penalties of $25,000 can be handed out for one patient's medical information, and up to $17,500 for each subsequent breach for the same patient. There is a cap of $250,000 total.
There is also a $100 per day fine for failure to report breaches..
You can listen to the CDPH's media teleconference on the penalties here.
The hospital was fined for two incidents. In one, a radiologist accessed the records of 177 patients with no "clinical reason to do so." Turns out that she "lost a baby because she was on drugs and wanted to see records of obstetrics to see what the pregnant mothers did to get help." Sounds to me that she does need help. In a second incident, a hospital employee allowed a friend into a restricted area, where the visitor could overhear patients discussing their situation.
The hospital was fined for two incidents. In one, a radiologist accessed the records of 177 patients with no "clinical reason to do so." Turns out that she "lost a baby because she was on drugs and wanted to see records of obstetrics to see what the pregnant mothers did to get help." Sounds to me that she does need help.
In a second incident, a hospital employee allowed a friend into a restricted area, where the visitor could overhear patients discussing their situation.
The hospital has announced that they will challenge the fine. I'm not sure what grounds they have for successfully fighting it, since they seem to be admitting that confidential files were accessed by unauthorized people. I mean, it's great that it discovered, investigated, and reported the problem. It certainly signifies Enloe is keeping an eye out for potential problems. However, it doesn't mean that there wasn't a breach. I mean, one of the seven people who authorized* accessed the record of the patient did so because "she used to know the patient." They have ten calendar days to appeal, though. Update (11 JUN 2010): It looks like Enloe might have a case after all. * Holy typo! Where'd that come from? I must have been really distracted. My apologies to all.
The hospital has announced that they will challenge the fine. I'm not sure what grounds they have for successfully fighting it, since they seem to be admitting that confidential files were accessed by unauthorized people.
I mean, it's great that it discovered, investigated, and reported the problem. It certainly signifies Enloe is keeping an eye out for potential problems. However, it doesn't mean that there wasn't a breach. I mean, one of the seven people who authorized* accessed the record of the patient did so because "she used to know the patient."
They have ten calendar days to appeal, though.
Update (11 JUN 2010): It looks like Enloe might have a case after all.
* Holy typo! Where'd that come from? I must have been really distracted. My apologies to all.
Seventeen security guards accessed the medical records of 33 patients. Security guards.
No salient details on this one. Apparently, people with "no reason" and "no permission" accessed information because they were "curious."
The hospital was fined for one incident where the records were sent to a lawyer by accident. A patient sues the hospital. Lawyer representing the patient asked for test results for his case. Hospital sends the results--as well as the results for three other people. The lawyer makes off like a fox in a henhouse (I'm supposing here), because now he can get himself three more clients. I mean, he's got the evidence already.
The hospital was fined for one incident where the records were sent to a lawyer by accident. A patient sues the hospital. Lawyer representing the patient asked for test results for his case. Hospital sends the results--as well as the results for three other people.
The lawyer makes off like a fox in a henhouse (I'm supposing here), because now he can get himself three more clients. I mean, he's got the evidence already.
The thing about security is that it's always a losing battle. For example, if you were in a situation where you only had to deal with encryption software for your data security needs, and had it deployed across all computers in an organization, you still wouldn't have 100% security. For example, it's not going to protect against nosy employees, although it might help prevent errors where the information is sent out to the wrong person, in that the person won't have access to the information even if he receives it. Of course, a medical setting needs more than encryption to adequately maintain patient confidentiality. Mistakes will be made. However, there is hope. All of the above breaches were self-reported, and I'd say that constant vigilance, along with the help of a number of tools, is the only way to keep disasters at bay.
The thing about security is that it's always a losing battle. For example, if you were in a situation where you only had to deal with encryption software for your data security needs, and had it deployed across all computers in an organization, you still wouldn't have 100% security.
For example, it's not going to protect against nosy employees, although it might help prevent errors where the information is sent out to the wrong person, in that the person won't have access to the information even if he receives it.
Of course, a medical setting needs more than encryption to adequately maintain patient confidentiality. Mistakes will be made. However, there is hope. All of the above breaches were self-reported, and I'd say that constant vigilance, along with the help of a number of tools, is the only way to keep disasters at bay.
Related Articles and Sites:http://www.cdph.ca.gov/Pages/NR10-039.aspx