in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Business Associates And HIPAA: Boston Medical Center Cuts Ties With Transcription Service Provider

Boston Medical Center has cut ties with a vendor, a transcription company that they had been doing business with for 10 years, after the latter had a data breach, according to bostonglobe.com. Over 15,000 patients were affected when their information was posted to a website operated and used by MDF Transcription Services (and its subcontractors).

The records in question were not secured with a password which admittedly sounds bad, but with details of any kind being sketchy, it's hard to fathom why this was so problematic.  (For example, were these records posted on MDF's public website for anyone to see?  If so, the lack of a password is the least of worries).

Whatever the details, the breach must have been egregious enough to deserve the termination of a business arrangement that spanned a decade.

Purely Medical Information Involved

The Globe article notes that the "records contained patients' names, addresses, and medical information, including what drugs they were taking, but did not include Social Security numbers or financial information."  Furthermore, there's no evidence that unauthorized people looked at these "exposed" personal records (I assume that MDF had some kind of log that kept track of who accessed which files and when).

Of course, the fact that SSNs, credit card numbers, and other information that are routinely stolen and used for fraudulent ends were not breached is something of a relief.  However, legitimate reasons exist on why purely medical information should not be breached, and HIPAA rightly requires that sensitive medical information be properly protected from unauthorized access.

Still, does it really warrant severing ties with a company that must have been doing things right?  After all, a 10-year-old relationship points towards MFD having done a good job, at least, when it comes to transcribing information (or whatever it is that MFD did for Boston Medical Center).  

The severity of the outcome surprises me.

HIPAA Business Associates Should Be Wary

When we are contacted by a company that identifies itself as a HIPAA business associate, they generally are concerned with what the Office for Civil Rights (HHS, OCR) could possibly due to them (fines, sanctions, etc.) as well as the negative public relations impact of having a data breach associated with their business.

Based on the Boston Medical Center case, it looks like BAs have even more concrete reasons for complying with HIPAA Security Rules.  Losing a sizable and prestigious client is one of those things that no business wants to face.

Related Articles and Sites:
http://www.phiprivacy.net/boston-medical-center-fires-vendor-after-data-breach/
http://www.bostonglobe.com/business/2014/04/29/boston-medical-center-fires-vendor-after-data-breach/jboHN1Aq1x2JAE5amyEHiO/story.html
 
<Previous Next>

HIPAA Laptop Encryption: Second Coordinated Health Data Breach In 30 Days

UK Data Encryption: FOI Request Finds ICO Fines Lower, Breach Incidents Higher

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.