In the past year, there have been a slew of data breaches – and the resulting settlements – reported in the media. From retailers, like Target and Home Depot, to major healthcare entities, like CareFirst Blue Cross Blue Shield and Excellus Health Plan, virtually no organization has proven impenetrable.
And while these four breaches alone impacted tens of millions of consumers and patients, even a small data breach – especially in healthcare – can have massive repercussions.
Small HIPAA Breaches
When you're responsible for protecting patients' personal health information (PHI), any breach is a significant occurrence that can have long and lasting implications for all involved.
Consider the ramifications of these "small" HIPAA breaches, where only one patient's PHI was exposed:
- In Florida, a nurse inappropriately accessed the records of her nephew's former girlfriend, which divulged that a child had been born to the couple and subsequently placed for adoption. The couple didn't tell any family members about the baby or adoption. However, upon finding out this information, the nurse told other family members, which prompted the former girlfriend to file a complaint with the hospital. The nurse was fired and her license revoked.
- In New York, a nurse sent several text messages to a patient's girlfriend, divulging that the patient had been diagnosed with a sexually transmitted disease at the clinic where she worked. The patient's girlfriend was also the nurse's sister-in-law. The patient went on to file a lawsuit against the clinic for failing to properly protect his PHI. The case, lasting nearly four years, went all the way to the U.S. Court of Appeals before being dismissed.
- A University of Iowa student health employee disclosed pregnancy test results in front of a patient's boyfriend, who was also a "well-known athlete" at the school. He was waiting in the lobby when the employee remarked that she hoped "it was a happy situation." After further investigation, it was found that the employee had inappropriately accessed the girlfriend's medical history at least two additional times that day, viewing past visits and medication. Those violations resulted in the termination of the medical assistant, who had been employed by the university for 14 years.
Prevention is Key
Not only do healthcare entities need to be concerned about threats from the outside, they also need to realize that breaches, especially smaller-scale breaches, occur from the inside.
This is why it's important to have risk management and cybersecurity programs in place. These programs work in tandem to minimize security threats on all levels.
A three-step prevention program is advised:
- Properly screen and train employees, including providing mandatory annual HIPAA training.
- Conduct an annual risk assessment to identify deficiencies in your organization's infrastructure.
- Improve your cybersecurity framework by following the guidelines offered by the National Institute of Standards and Technology (NIST).
Bottom line: Breaches of any size are a big deal. However, smaller-scale breaches that expose PHI of one or two individuals – and often in great detail – have the potential to be more damaging than the breaches affecting millions. And with all breaches, the organization's reputation never escapes unharmed either.
How are you preventing HIPAA breaches? Do you think smaller-scale breaches have lasting repercussions? Please join the conversation below.