Proofpoint HIPAA Breach Report:

Transcription

1 Proofpoint HIPAA Breach Report: An Analysis of HITECH Breach Notifications and Settlements, Q Healthcare Industry Update threat protection compliance archiving & governance secure communication

2 Contents HIPAA Breach Report...3 Overall Figures... 3 Legal Environment...4 HIPAA Breaches By Location...4 HIPAA Breaches By Type... 5 HIPAA Breaches By State...6 Notable HIPAA Breaches...7 Blue Cross Blue Shield of Tennessee (BCBST) $18.5 million... 7 Cignet Health $4.3 million...8 CVS Caremark $2.25 million...9 State of Alaska $1.7 million...9 Massachusetts Eye and Ear Infirmary $1.5 million...10 RiteAid $1 million South Shore Hospital $750, TRICARE Management Activity $4.9 billion*...12 Sutter Medical Foundation $944 million $4.25 billion*...12 Proofpoint Solutions for HIPAA / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 05/13

3 HIPAA Breach Report Proofpoint monitors a variety of security-related activities and provides Industry Updates for several areas. This report covers HIPAA breaches of 500 and greater individuals as reported to and published by the US Department of Health and Human Services (HHS). This report breaks down the breaches by number of incidents, individuals, type of breach, location of breach, and by state. Additionally, it provides a description of notable breaches including settlement costs. Proofpoint, a strong proponent of security and privacy, provides this information to help organizations and individuals stay aware of the current state of healthcare information governance with regards to Protected Health Information (PHI). Overall Figures Since 2009, 585 individual HIPAA security breaches have been posted for breaches covering over 500 individuals. Additionally, the breaches are spread over 49 US states and territories, covering 46 states. The states of Hawaii, Maine, South Dakota and Vermont are the only states without a registered breach. Healthcare Data Breaches At A Glance 1 $7 billion loss estimate across healthcare industry due to privacy breaches 94% of healthcare organizations have had at least one data breach within the last two years $2.4 million average economic impact per breach in 2012, with an increase of almost $400,000 since % of healthcare staff believes data breaches will lead to financial identity theft 18% of healthcare organizations report actual medical identity theft as a result of data breach Figure 1. Overall HIPAA Reported Breach Figures Overall Figures Approximate Number of Individuals Compromised 21,784,290 Number of Breaches 585 States with Recorded Breaches 46 A number of breaches have existed for an extended period of time, the longest of which was a breach at Duke University where their system was compromised from 2004 to For breaches where the system was compromised for an extended period of time, 250 days was the average length of compromise. Extended Breach Figure 2. Extended Breach Figures Number of Extended Breaches 57 Average Length of Extended Breaches Maximum Length of Extended Breach 250 days 9.4 years This Proofpoint report also covers the length of time it takes to post a breach from the time the breach occurred. Of the 443 breaches where the notification to the public occurred after the breach, the average length of time to post was 142 days. The maximum time to post is 9.8 years that was also the Duke University incident. Figure 3. Notification Delay Figures Notification Delay Number of Breaches with Delayed Notification 443 Average Length of Delayed Notification 142 days Maximum Length of Delayed Notification 9.8 years 1 The source data for this document is provided by the US Department of Health and Human Services and available at 1 Ponemon Institute LLC, Third Annual Benchmark Study on Patient Privacy & Data Security. December / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 05/13

4 Legal Environment In addition to the increasingly public nature of security breaches, there has been an increase in lawsuits. A number of lawsuits seek $1,000 per compromised individual, resulting in damages figures into the billions of dollars for breaches involving over a million individuals. Billion dollar lawsuits have occurred in two incidents and are tracked in Section 2 of this update. Figure 4. Lawsuit Overview Organization Individuals Compromised Damages Sought TRICARE 4,901,432 $4.9 billion Sutter Medical Foundation Approx million $944 million - $4.25 billion HIPAA Breaches By Location The most common form of breach is through the theft or loss of backup tapes and disks, followed by EMR systems and computer systems. However, adding the various breaches attributed to computers (Network Server, Computer, Laptop, and Portable Electronic Device), this figure reaches 39%, a figure greater than both Backup Tapes and EMR systems. With lawsuits seeking $1,000 per compromised patient, it becomes evident that these areas are potentially financially risky a 5 million patient compromise resulting in a $5 billion lawsuit. Figure 5. Number of Patients Compromised by Location 4 / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 05/13

5 HIPAA Breaches By Type Data breaches involving electronic PHI (ephi) occur through a variety of means. The largest number of records and most number of breaches occur due to improper security of ephi resulting in theft, loss, hacking and unauthorized access. This is evident in both the number of patients exposed per type and also by the number of losses per type as shown below. Figure 6. Number of Patients Compromised by Type Figure 7. Number of Breaches by Type 5 / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 05/13

6 HIPAA Breaches By State HIPAA Breaches have occurred in 29 US States and Territories. Of the 50 states, only Hawaii, Maine, South Dakota, and Vermont have not experienced any breaches. By number of individuals affected, the top 10 states, represent 19 million people or 87% of all individuals affected. With breaches across 46 of the 50 states, it appears breaches are not targeted towards any individual state; however, certain states have historically had more breaches. Figure 8. Affected Individuals And Number of Breaches for Top 10 States The affected individuals in the top two states represent a significant portion of those states populations. Figure 9. Affected Individual Equivalents for Top States States of Note Virginia California Breaches in Context The affected individuals in the top two states represent a significant portion of those states populations. The nearly 4 million people affected are equivalent to a number greater than everyone living in Los Angeles. 6 / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 05/13

7 Notable HIPAA Breaches HIPAA breaches are becoming more costly with the passage of the HITECH Act with settlement and remediation costs in the millions and class-action lawsuits seeking billions of dollars. Under calculations by the US Department of Health and Human Services (HHS) Office of Civil Rights (OCR), penalties can reach $50,000 per day, having easily reached the $1.5 million per year limit stipulated by HITECH. This section provides case studies for select HIPAA breaches so healthcare practitioners can get up to date information on compliance and remediation costs and approaches. Of note, some patients have initiated class-action lawsuits seeking $1,000 per affected member with aggregate damages sought reaching into billions of dollars. With the importance of data privacy and identity theft, organizations should take steps to prevent breaches or be prepared to face these types of lawsuits if a breach does occur. Blue Cross Blue Shield of Tennessee (BCBST) $18.5 million Breach Information: Blue Cross Blue Shield of Tennessee Blue Cross Blue Shield of Tennessee Individuals Affected 1 million HIPAA Security Rule breach $18.5 million total $1.5 million: HHS civil money penalty (CMP) $11 million: customer alerts and HIPAA compliance $6 million: encrypt data 885 terabytes of data Breach Date October 2, 2009 Theft of 57 unencrypted hard drives consisting of demographic information, Social Security numbers, diagnosis codes and health plan identification numbers. In 2009, 57 hard drives with ephi was stolen from BCBST with information for 1 million patients. This resulted in a cost of $18.5 million with $11.5 million being associated with handling the single theft event. Additionally, more than $6 million and 5,000 man-hours of effort were spent to encrypt data at-rest totaling 885 terabytes to ensure this type of breach does not happen again. 7 / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 05/13

8 Cignet Health $4.3 million Breach Information: Cignet Health Cignet Health of Prince George s County, MD Individuals Affected 41 HIPAA Privacy Rule breach $4.3 million total HITECH (d) $1,351,600 HIPAA civil money penalty (CMP) $3.0 million fine for willful neglect and failure to cooperate with HHS Office of Civil Rights (OCR) Refusal to provide access to medical records for 41 patients and the HHS OCR Breach Date September 2008 October patients had requested access to medical records from September 2008 to October Covered entities are required to respond within 30 days and no later than 60 days. Cignet did not respond which resulted in a CMP of $1.3 million. During OCR investigations, Cignet allegedly refused to respond to OCR investigations that ran from March 17, 2009 to April 7, 2010, including failure to respond to a court ordered subpoena. OCR was able to obtain a default judgment against Cignet in United States District Court and added a $3.0 million fine for willful neglect of the HIPAA Privacy Rule, resulting in a total fine of $4,351,600. The $1,351,600 base CMP was the minimum HIPAA fine and calculated using $100 / day for 13,516 penalty days during which Cignet ignored patient requests. The $3 million willful negligence penalty was calculated at $50,000 per day of non-compliance with the OCR investigation resulting in a $242 million fine for the 4,859 patient days in 2009 and 2,619 patient days in The penalty was reduced to $3 million or the $1.5 million per year allowed under the HITECH Act. 8 / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 05/13

9 CVS Caremark $2.25 million Breach Information: CVS Caremark Corp. Individuals Affected 955 CVS Caremark Corp. HIPAA Privacy Rule breach $2.25 million Breach Date August 13, 2012 Improper disposal of PHI in unsecure dumpsters that were accessible by the public. The HHS OCR and Federal Trade Commission (FTC) investigated CVS after media reports alleged that PHI was being disposed of in unsecure dumpsters. The investigation found that CVS failed to implement proper policies, procedures, and training for employees to properly recognize and securely dispose of PHI. In addition to the $2.25 million CMP, the Corrective Action Plan requires updated disposal procedures, sanctioning of non-compliant workers, and a 3 year period during which CVS is required to send compliance reports to OCR. State of Alaska $1.7 million Breach Information: Alaska Department of Health and Human Services Individuals Affected 501 Alaska Department of Health and Human Services (ADHHS) HIPAA Security Rule breach $1.7 million Breach Date October 12, 2009 Other s Theft of USB flash drive containing ephi from car of ADHSS An unencrypted flash drive was stolen from the car of an ADHHS IT worker. ADHHS wasn t certain the device contained PHI, but since it was unencrypted, they reported it to USDHSS OCR. OCR conducted an investigation and found that ADHHS did not have adequate polices and procedures to protect ephi. Additionally, ADHHS had not conducted and/or implemented a risk analysis, risk management procedures, device and media controls or an ephi encryption system. OCR issued a $1.7 million CMP fine and a corrective action plan that includes ADHHS to review, revise and maintain policies to stay in compliance with HIPAA. A monitor will provide OCR with regular updates on ADHHS progress on HIPAA compliance. On September 7, 2010, ADHHS lost ephi for 2000 individuals due to theft 9 / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 05/13

10 Massachusetts Eye and Ear Infirmary $1.5 million Breach Information: Massachusetts Eye and Ear Infirmary Individuals Affected 3,621 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) HIPAA Privacy and Security Rule breach $1.5 million Breach Date February 19, 2010 Theft of unencrypted laptop including prescriptions and clinical information for 3,621 patients and research subjects MEEI reported the theft of an unencrypted laptop containing patient records for 3,621 individuals. As part of its investigation the OCR concluded that MEEI was not: performing a thorough analysis of risk to the confidentiality of the ephi stored on the laptop Other s adopting and implementing policies and procedures to restrict access to ephi to authorized users of portable devices. OCR s investigation found that additional breaches occurred over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the Security Rule. MEEI settled for a $1.5 million CPM fine and agreed to take corrective measures with reporting over 3 years. On November 10, 2009 employees improperly accessed patient credit card information including names, addresses and credit card information. Per HIPAA requirements, MEEI notified the affected individuals, the media and HHS. MEEI terminated the involved employees, offered 1 year of free credit card monitoring to individuals, revised their safeguards policy, and reviewed processes for credit card payment. 2 US Department of Health and Human Services. News Release: Massachusetts provider settles HIPAA case for $1.5 million. September 17, / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 05/13

11 RiteAid $1 million Breach Information: RiteAid RiteAid Individuals Affected Approximately 2,900 HIPAA Privacy Rule breach $1.0 million Breach Date October 10, 2011 Improper disposal of PHI in unsecure dumpsters that were accessible by the public. A local television station filmed RiteAid employees dumping patient prescriptions and other PHI in local dumpsters. An investigation by the OCR and FTC followed and confirmed that improper disposal of patient prescriptions was occurring in numerous cities. Under the settlement, RiteAid has agreed to train its workforce on HIPAA Privacy Rule requirements, monitor its progress internally, and allow an outside monitoring agency to review its progress with respect to the settlement. The $1 million fine equates to just over $200 per each of RiteAid s 4,900 stores. South Shore Hospital $750,000 Breach Information: South Shore Hospital Business Associate Individuals Affected 800,000 South Shore Hospital Archive Data Solutions (formerly Iron Mountain Data Products, Inc.) HIPAA Security Rule breach $750,000 million Breach Date February 25, 2010 Theft of nearly 500 unencrypted backup tapes. The hospital sent nearly 500 unencrypted backup tapes with ephi in 3 boxes to be erased by Archive Data Solutions after which the tapes went missing. The ephi included patient names, Social Security numbers, and data for financial, clinical and medical diagnoses. The hospital was able to recover one tape but was fined $750,000, which was reduced by $275,000 for technology investments made after the breach. 11 / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 05/13

12 TRICARE Management Activity $4.9 billion* Breach Information: TRICARE Management Activity Business Associate Individuals Affected 4,901,432 TRICARE Management Activity Science Applications International Corporation (SAIC) HIPAA Security Rule breach Breach Date September 13, 2011 $4.9 billion sought in class-action lawsuit, representing $1,000 per individual affected Loss of unencrypted backup tapes possibly containing patient addresses, phone numbers, Social Security numbers and clinical data. A computer tape containing ephi of 4.9 million patients was stolen from the car of an employee of Science Applications International Corp., a contractor with TRICARE Management Activity. A class-action lawsuit seeking $1,000 per individual was filed by the law firm of Shulman, Rogers, Gandal, Pordy & Ecker of Maryland on behalf of an Air Force veteran of the first Iraq war and a military spouse. Defendants in the suit are named as TRICARE and Defense Secretary Leon Panetta. In this instance, TRICARE has declined to provide identity theft protection. By comparison, the Veterans Affairs Department offers credit monitoring services and up to $1 million in annual identity theft protection at a cost of $29.95 per year per veteran. Other covered entities experiencing HIPAA breaches have also offered identity theft protection. Sutter Medical Foundation $944 million $4.25 billion* Breach Information: Sutter Medical Foundation Individuals Affected Sutter Medical Foundation 943,434 individuals for clinical data and medical diagnoses 3.3 million individuals for demographic data HIPAA Security Rule breach $750,000 million Theft of computer containing PHI. Breach Date October 15, 2011 Theft of a single computer containing clinical data and medical diagnoses for nearly 1 million patients along with demographic data for more than 3.3 million patients. This breach also affected 21 other healthcare providers. The theft occurred when someone used a rock to break a window at Sutter Medical Foundation s administrative offices to remove an unencrypted desktop computer containing a patient database. While Sutter Medical Foundation had initiated an encryption program, the initial focus was handheld devices and had not reached this system. In addition to the breach, which occurred on October 15, 2011, notifications to patients did not occur until November 16, 2011, one month later. 11 lawsuits have been initiated seeking $1,000 per affected individual. Some lawsuits are focused on the 943,434 patients and seek $1 billion while others seek to represent all affected patients and seek $4.25 billion. 12 / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 05/13

13 Proofpoint Solutions for HIPAA Proofpoint is a leading provider of Information Security and Governance Solutions that can be deployed to meet the requirements of the HIPAA Privacy and Security Rules. This solution suite provides solutions to protect data-at-rest in a secure archive while also meeting HIPAA and Medicare records retention requirements and protecting data in-motion. To learn more about how Proofpoint solutions are addressing the requirements of HIPAA and HITECH for leading healthcare organizations, please contact us at Proofpoint, Inc. 892 Ross Drive, Sunnyvale, CA Tel: / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 05/13