Aventura Hospital and Medical Center has announced a new security breach, the third suffered in the last two years, which has affected up to 82,601 individuals. The healthcare provider has only recently discovered the breach, although it started just a single day after the last one was corrected.
Between Oct. 1, 2012 and Dec. 31, 2012, the data of 948 patients was released without permission, with a second HIPAA breach being sufferd between January 1, 2012 and September 12, 2012, affecting 2,560 patients. The third breach started the very next day, September 13, 2012, with access to the data continuing until June 9, 2014.
The latest HIPAA breach was caused by an employee at one of its business associates, Valesco Ventures. The company was alerted about the employee who could have inappropriately accessed patient data in May, although it was not until early June when it was revealed that the employee in question improperly accessed patient names, dates of birth and Social Security numbers of up to of up to 82,601 people, according to a report on Local10.com
Terry Meadows, M.D, the manager of Valesco, confirmed that no financial information or medical data was released during the breach and stated that “Valesco Ventures and Aventura Hospital are assisting law enforcement to identify and prosecute all responsible parties.”
Employee snooping and theft of data for personal gain can be hard to identify and stop, although healthcare providers are able to put in place a number of policies and procedures to reduce the opportunity for employees to steal or inappropriately access data. They should also have the systems set up to rapidly identify individuals who do so.
Since the Omnibus Rule came into existence, Business Associates can be held liable for any data breaches which have resulted from HIPAA violations they have given rise to, such as not having the appropriate technical, administrative and physical measures in place to protect HIPAA-covered data. The body employing a Business Associate is also not exempt from financial penalties, should it be found that it too has violated HIPAA rules and has contributed to the cause of the breach.
The Office for Civil Rights has been policing HIPAA more stringently in recent years and it has already issued a number of major penalties for HIPAA violations that resulted in healthcare data, personal identifiers and Social Security numbers of patients being exposed. The OCR has the authority to issue fines of up to 1.5 million per violation type, per year. In this case that could possiby see a fine of up to 3 million dollars applied.
While such a large scale data exposure is highly concerning, so too is the amount of time taken for Aventura and Valesco Ventures to halt the breach and notify the victims. The company first became aware of a potential HIPAA breach on May 28, 2014, when it was made aware to the fact that an employee “may have improperly accessed the personal identifying information of a number of patients of Aventura Hospital”.
It was not until three months later – Sept 9, 2014 – that the company sent breach notifications to the affected patients. Under HIPAA Breach Notification Rules, covered entities have up to 60 days to report HIPAA breaches to the OCR and notify the people who may have been affected.