A Recent $2 Million HIPAA Penalty for Exposed Patient Data
If you work in a health care organization and handle sensitive patient health data, you’ve probably heard about the recent case in which US regulators hit St. Joseph Health System with a penalty of $2.14 million for HIPAA violations. That penalty is just the tip of the iceberg: St. Joseph Health also settled for $28 million in a class action lawsuit due to the same incident.
The point of this post isn’t to cast blame. Our job is to help organizations avoid similar mistakes and costly losses.
The true cost of a HIPAA violation
Likely reasons the financial penalties are so high for St. Joseph Health are that the organization performed a “patchwork” of risk assessments instead of a comprehensive enterprise-wide assessment (a failure that is a HIPAA Security Rule violation), but also that even after discovering a file sharing application on a new server, the organization didn’t change the default settings of the application. The result is that over 30,000 patient records were left publicly searchable via Google for over a year.
Multiple factors can elevate the financial penalties for HIPAA violations:
- High number of exposed patient records
- Type of information exposed
- Prolonged period of the exposure
- Absence of proper risk assessments
- Insufficient measures taken to protect data
- Insufficient remedy of known vulnerabilities.
Attention-grabbing headlines about HIPAA violations and fines also damage reputations, and that kind of brand equity loss is felt even after fines have been paid. Being able to show the public that your organization has taken full responsibility by implementing comprehensive cloud security measures can go a long way to repairing your reputation and recovering brand equity.
File sharing and HIPAA
The good news is that file sharing of patient health information can be managed and controlled if you implement a strong cloud security solution.
- File sharing policies and procedures operationalized through software like CipherCloud’s allow you to spot potential violations of HIPAA, monitor user activity, and enforce your policies.
- Ongoing cloud discovery automatically illuminates all clouds, sanctioned and unsanctioned.
- Encryption and tokenization ensure that even if data were to fall into the wrong hands, the data is unreadable and therefore of no use to unauthorized parties. In fact, HIPAA has an encryption standard such that responsible parties must either implement encryption or come up with a ‘reasonable and appropriate’ solution to meet the regulatory requirement. The reality is that encryption is your best hope of complying with HIPAA.
- Active Encryption–the gold standard of encryption that CipherCloud provides—ensures that your data is protected as its travels among clouds, such as from your file sharing applications to your CRM to your billing system. Only Active Encryption can help your health organization protect sensitive patient information in a multi-cloud environment.
- End-to-end protection- if users access sensitive PHI data from their mobile devices you need to be certain data is encrypted to the end point and access can be revoked if the device is lost or stolen. CipherCloud provides end-to-end encryption with mobile apps for iOS, Android, Mac and Windows.
Take action to protect your patient data
File sharing applications can help everyone in the circle of care deliver health care more efficiently. The answer to the risks of cloud-based file sharing applications isn’t to lock them down and prevent users from using them. The answer is to know all your cloud applications and all your users, set and document policies, implement a cloud security solution for a multi-cloud strategy, and educate everyone in the circle of care. You can demonstrate compliance with HIPAA and reasonable care to protect patient information, while protecting your organization from expensive malpractice claims and government fines. Best of all, you’ll stay competitive in the health care delivery market.
CipherCloud has helped other organizations protect patient data and comply with HIPAA. If you’ve got any doubt about the security of your sensitive data, ask to speak to one of our experts in health care data security. (855) 5CIPHER (855-524-7437)
To learn more about health information compliance, visit our HIPAA and HITECH Compliance Resource Center.