in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Cost Of A Medical Data Breach In California: Penalties Fined Against 5 Hospitals

Five hospitals are feeling the pain after the California Department of Public Health (CDPH) levied fines against them.  While I doubt that these could have been prevented by the use of data protection tools like full disk encryption from AlertBoot, it shows the potential pitfalls on being caught without them.

All Fines for Employee Infractions

A total of $675,000 in fines was handed out to five hospitals.  A total of 245 patients were affected and a total of 32 employees were involved.  That works out to either $2110 per employee or $2760 per patient.  The devil is in the details, they say.  Which is why one needs to take a good luck at the individual cases:

The five hospitals that were fined:

  1. Community Hospital of San Bernardino
  2. Enloe Medical Center
  3. Rideout Memorial Hospital
  4. Ronald Reagan UCLA Medical Center
  5. San Joaquin Community Hospital

In the below table, you'll notice that San Bernardino was fined twice.  All penalties were handed out because the confidentiality of patient medical records was not protected adequately, as listed out in Section 1280.15 of the California Health and Safety Code.  I've also broken down the dollar amount per patients affected or per employees involved.

             

According to turnto23.com, the website for the local ABC affiliate, and CDPH's teleconference, penalties of $25,000 can be handed out for one patient's medical information, and up to $17,500 for each subsequent breach for the same patient.  There is a cap of $250,000 total.

There is also a $100 per day fine for failure to report breaches..

You can listen to the CDPH's media teleconference on the penalties here.

San Bernardino

The hospital was fined for two incidents.  In one, a radiologist accessed the records of 177 patients with no "clinical reason to do so."  Turns out that she "lost a baby because she was on drugs and wanted to see records of obstetrics to see what the pregnant mothers did to get help."  Sounds to me that she does need help.

In a second incident, a hospital employee allowed a friend into a restricted area, where the visitor could overhear patients discussing their situation.

Enloe

The hospital has announced that they will challenge the fine.  I'm not sure what grounds they have for successfully fighting it, since they seem to be admitting that confidential files were accessed by unauthorized people.

I mean, it's great that it discovered, investigated, and reported the problem.  It certainly signifies Enloe is keeping an eye out for potential problems.  However, it doesn't mean that there wasn't a breach.  I mean, one of the seven people who authorized* accessed the record of the patient did so because "she used to know the patient."

They have ten calendar days to appeal, though.

Update (11 JUN 2010): It looks like Enloe might have a case after all.

* Holy typo!  Where'd that come from?  I must have been really distracted.  My apologies to all.

Rideout

Seventeen security guards accessed the medical records of 33 patients.  Security guards.

UCLA

No salient details on this one.  Apparently, people with "no reason" and "no permission" accessed information because they were "curious."

San Joaquin

The hospital was fined for one incident where the records were sent to a lawyer by accident.  A patient sues the hospital.  Lawyer representing the patient asked for test results for his case.  Hospital sends the results--as well as the results for three other people.

The lawyer makes off like a fox in a henhouse (I'm supposing here), because now he can get himself three more clients.  I mean, he's got the evidence already.

A Losing Battle

The thing about security is that it's always a losing battle.  For example, if you were in a situation where you only had to deal with encryption software for your data security needs, and had it deployed across all computers in an organization, you still wouldn't have 100% security.

For example, it's not going to protect against nosy employees, although it might help prevent errors where the information is sent out to the wrong person, in that the person won't have access to the information even if he receives it.

Of course, a medical setting needs more than encryption to adequately maintain patient confidentiality.  Mistakes will be made.  However, there is hope.  All of the above breaches were self-reported, and I'd say that constant vigilance, along with the help of a number of tools, is the only way to keep disasters at bay.


Related Articles and Sites:
http://www.cdph.ca.gov/Pages/NR10-039.aspx

 
<Previous Next>

PIPA: Alberta (Canada) Adds Breach Notification Law

Data Security: It's Never 100%. But It Doesn't Mean You Should Stop Trying (Update To Enloe In CA Hospital Fines)

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.