In today’s day and age we are living a mobile lifestyle. We shop online, surf the web while we walk and talk and somehow find more comfort in starring at our mobile devices than another human. While the world seems to be spinning faster these days, we can’t shake off the responsibility that comes with caring for a mobile device as a medical profession. Below follows some cases, physicians can learn from.
Easter Seals PHI Breach via Stolen Laptop
The Easter Seal Society of Superior California sent out notification letters upon discovering that a laptop containing patient information had been stolen from an employee’s car on December 10th, 2013.
Easter Seals immediately launched an internal investigation on the subject. They also hired specialized data security counsel as well as external forensic experts to help assist in determining the magnitude of the breach.
Although this particular computer was powered off, password protected, and not connected to the internet at the time of its theft, it was confirmed that there were emails containing health information of certain clients and potential clients that still could be accessed. The information in these emails included the childrens name, date of birth, health care provider information, health care billing information, patient identification number, and occupational therapy notes.
There were no confirmed attempts at fraud pertaining to this health information, but the Easter Seals went above and beyond to make sure that their clients felt protected and secured regardless. The company commented in their letter, saying, “Out of abundance of caution and in order to help you detect the possible misuse of your child’s information, Easter Seals has arranged to have AllClear ID protect your child’s identity for 12 months at no cost to you.” Additionally, a phone number was provided to clients who could then work with an investigator to recover any financial loses, restore credit, and makes sure that any identity affected was returned to its proper condition.
Easter Seals also enrolled its clients in AllClear Pro, an additional service that adds more protection, credit monitoring, and a $1 million identity theft insurance policy. Furthermore, a confidential inquiry call line for clients was made available.
President and CEO, Gary T. Kasai, concluded the notification letter stating “protection and security of client information remains Easter Seal’s highest priority”.
Takeaways:
- Make sure that all your PHI is encrypted
- Take ownership of the problem right away to avoid further potential pitfalls
Miami Resident Pleads To Tax Fraud And Identity Theft But Where Did She Get the Pll?
The United States Secret Service, Internal Revenue Service, along with two Florida Police Departments worked with the U.S. Attorney’s Office in an identity theft investigation that potentially affected more than 1,560 victims.
On March 12, 2012, the Tallahassee Police Department stopped Ashley Assgill Glover, 28, of Miami, Florida, and found her in possession of personal identifying information (Pll) for more than 800 individuals. Along with this, debit cards filled with tax refunds linked to fraudulent tax returns were also discovered in Glover’s possession. These tax returns, according to the IRS, were drafted to claim approximately $369,848 in fraudulent returns.
Just three months following this, Glover was stopped again by the Coral Springs Police Department, and was found to be in possession of Pll for more than 160 more victims. Five months after this incident, Glover was stopped once again by the Florida Department of Agriculture, and yet another list of Pll was discovered, for more than 600 victims. Whether Glover was a poor driver or just unlucky remains unclear.
Commissioner of Agriculture, Adam H. Putnam, commented in the Florida Department of Agriculture and Consumer Services’ press release on the incident, saying, “It is part of the mission of the FDACS to safeguard Floridians from fraud and deception. I’m proud that our officers could support this investigation and prevent hundreds more from falling victim to identity theft.”
On April 19, 2014, Glover is scheduled to be sentenced by U.S. District Court Judge Mark Walker on three separate charges, all of which she pleaded guilty to: on count of theft of government property, one count of possession of unauthorized devices, and one count of aggravated identity theft.
Multiple Laptop Thefts Cause Accretive Health to Cease Business in Minnesota
Over an approximate two year period, Accretive has experienced the theft of six laptop thefts in three separate incidents due to what appears to be a lack of security standards.
Accretive Health, Inc. is a Chicago-based consultant hired by Fairview Health Services and North Memorial Health Care to work on billing issues, will be required to cease all operations in the state of Minnesota under settlement of a federal lawsuit against the company by the Attorney General.
The first theft occurred in June 2010, when Accretive’s Brandon Webb left a company laptop in plain sight in his rental car in the parking lot of an Old Mexico Restaurant in Roseville, Minnesota. This laptop was said to be encrypted and was rendered inoperable about two hours after the theft occurred, according to documents released by Attorney General Lori Swanson. Because of this, the theft was not considered a security breach that put any patient records at risk.
On July 25, 2011, Accretive’s Matthew Doyle experienced a similar scenario when he left his laptop in his car while enjoying dinner at a restaurant in the Seven Corners neighborhood of Minnesota, in plain view once again. However, this laptop was not encrypted, and after further investigation by the Attorney General it was determined that Doyle should not have had access to the patient data of approximately 23,000 patients that was contained in his laptop. Doyle, a revenue cycle employee, had access to 15.4 gigabytes of data, more than 600 files containing PHI or Pll, and 20 million records.
These thefts were only the beginning for the Attorney General’s Office investigation into Accretive. A lawsuit was filed in January that alleged the company violated state and federal health privacy laws as well as state debt collection laws. This suit was later amended to add allegations that Accretive was responsible for aggressive collection practices in hospital emergency rooms, in which the Attorney General’s Office has obtained sworn affidavits from about 60 patients on this matter.
Accretive Health released its own statement on the matter on July 30, 2012, a day before the Attorney General’s statement was released. Accretive states that the settlement “contains no admission of liability or wrong doing,” and its CEO Mary Tolan, argued instead that “entering into this settlement agreement allows our Company to put this matter behind us and prevents further distraction from the important work that we do for our hospital clients.”
The company also claims that the Attorney General “did not and could not identify a single patient in Minnesota who experienced a problematic interaction with an Accretive Health employee”. However, in Attorney General Lori Swanson’s July 3st press release, three examples of the 60 affidavits were listed, all complaining of improper treatment by Accretive.
Accretive will pay about $2.5 million to the State of Minnesota under the settlement, and the money will be a part of a restitution fund used to compensate patients (for other cases against Accretive). Accretive must also cease all business operations in the State of Minnesota and cannot reenter the state for a period of six years without the agreement of the Attorney General.
Takeaways:
- This is a poster example on how not to handle a breach, or six of them in their case. One breach is far too many, but enough to help build a case to no longer conduct business in a state is outrageous.
- Fairview Health Services and North Memorial Health Care should have done their research, as with all business associates, and conducted a risk analysis on Accretive Health.
- Finally, as with any mobile device, make sure any data coming through is encrypted in the case it is lost or stolen. This could mean the difference of having to report and pay for the loss of protected health information.
