Critical Incident: Privacy & Security Breach

Get Started. It's Free
or sign up with your email address
Rocket clouds
Critical Incident: Privacy & Security Breach by Mind Map: Critical Incident: Privacy & Security Breach

1. Background

1.1. Relevant Regulations

1.1.1. HIPAA

1.1.1.1. Health Insurance Portability and Accountability Act of 1996

1.1.2. HITECH ACT

1.1.2.1. HITECH Act Enforcement Interim Final Rule

1.1.3. Final privacy rule 2001 (Office for Civil Rights, 2017).

1.1.4. Final security rule 2003 (Office for Civil Rights, 2017).

1.1.5. Enforcement Rule (Office for Civil Rights, 2017).

1.1.6. Final Omnibus rule (Office for Civil Rights, 2017).

1.1.6.1. Breach notification rule

1.1.6.1.1. Breach Notification Guidance under the HIPAA Omnibus Rule

1.1.7. Transactions and Code Sets Standards (Office for Civil Rights, 2017).

1.1.8. Employer Identifier Standard (Office for Civil Rights, 2017).

1.1.9. National Provider Identifier Standard (Office for Civil Rights, 2017).

1.2. Discuss legal, ethical, and regulatory aspects of the critical issue.

1.2.1. New Jersey Consumer Fraud Act violated (Donovan, 2018).

1.2.2. HITECH act violated (Donovan, 2018).

1.2.3. HIPAA violations occured

1.2.3.1. There was failure to adequately train staff on security measures (Donovan, 2018).

1.2.3.2. The agencies response and reaction was delayed (Donovan, 2018).

1.2.3.3. The agency is lacking in protocols for protection of electronic PMI (Donovan, 2018)

1.2.3.4. The disclosure of the patient information occurring; and the agencies failure to record who accessed the data during the breach and the frequency that the data was accessed (Donovan, 2018).

1.2.4. Patient Bill of rights unmet

1.2.4.1. It is a patient's right to have privacy of personal health information and to not have it shared. (U.S. Department of Health and Human Services, 2014).

1.2.5. HIPAA Omnibus Rule violated (Healthcare Information and Management Systems Society, 2014)

1.3. Setting

1.3.1. Information exposed between January and February of 2016. March 2016 patient's were notified (New Jersey Division of Consumer Affairs, 2018). Originally reported in 2016 by Virtua Medical Group in NJ. Lawsuit finalized in April 2018 (Donovan, 2018).

1.3.1.1. A private transcription company called Best Medical Transcription hired by Virtua exposed an internet page which stored private patient information. This resulted in violations of laws and regulations. PMI was accessible via Google search. Although the private transcription company caused the data breach Virtua remains responsible (Donovan, 2018).

1.3.1.1.1. PMI was exposed and searchable on google within "catched" pages (Donovan, 2018).

1.3.1.1.2. 1650 Individuals affected (Donovan, 2018).

1.3.1.1.3. How long has the larger issue occurred?

2. Resolution

2.1. VMG critical incident

2.1.1. Corrective Action Plan (Office of Attorney General, New Jersey, April).

2.1.2. $418,000 fine (Office of Attorney General, New Jersey, April).

2.1.3. Continued internal surveillance through third party with yearly report detailing compliance to security and privacy of PMI (Office of Attorney General, New Jersey, April).

2.2. Possible solutions to address and prevent privacy/security breach

2.2.1. Have any solutions for the critical incident been tried in the past? If so, what are they? Explain.

2.2.1.1. Multi-faceted risk assessment after a data breach occurs (Snell, 2018d).

2.2.1.1.1. The Role of Risk Assessments in Healthcare

2.2.1.2. multi-disciplinary prompt response involving compliance, security, I.T., privacy departments (Norwich University, 2017).

2.2.1.2.1. Healthcare Data Breaches – The Costs and Solutions | Norwich Online Graduate Degrees

2.2.2. From the patient perspective. What is a possible solution for the critical incident? why?Does the critical issue affect the patient to the patient needing a solution

2.2.2.1. The patient will most likely want to know their PMI is protected and insured for some time after the incident. Offering free membership to a fraud prevention agency could be a solution in the patient's perspective. The company would monitor credit, finances, and healthcare billing for fraudulent activity. Additionally an unconventional solution would be to leave the health agency and chose to use a different one instead.

2.2.3. From the administrator perspective. What is a possible solution for the critical incident

2.2.3.1. Thorough risk assessment; the government recommends a 4-point assessment (Snell, 2018c)

2.2.3.1.1. The Role of Risk Assessments in Healthcare

2.2.3.2. Thorough technical investigation

2.2.3.2.1. Finding out how incident occurred with a thorough investigation

2.2.3.3. Change companies or stop using companies that do not meet privacy and security standards

2.2.3.4. Hire a third party company to assist with privacy and security measures of PMI in facilities; begin a performance improvement plan focusing on this (Norwich University, 2017).

2.2.3.5. Hold education sessions for employees regarding HIPAA, PMI security, and current regulations which exist (Norwich University, 2017).

2.3. What could be the long-term impact of the critical issue on a healthcare system as a whole?

2.3.1. Cost

2.3.1.1. "5.6 billion per year, 2.1 million per incident, 201$ average per record" University, 2017).

2.3.1.2. Investigation, notification, remediation, paying for financial monitoring/future theft, lost business, fines (Norwich University, 2017).

2.3.2. Patient loyalty

2.3.2.1. Loss of patient satisfaction, loyalty, and trust of healthcare system.

2.4. Think about what actions may have prevented the issue?

2.4.1. Maintaining business associate agreements with partnering companies to ensure PMI is treated securely and protected appropriately (Snell, 2018e).

2.4.1.1. What is a HIPAA Business Associate Agreement (BAA)?

2.4.2. Understanding current regulations and requirements and maintaining them (Snell, 2018a).

2.4.2.1. Easing HIPAA Violation Concerns with Patient Data Access

2.4.3. It would also be necessary to understand which cooperating agencies and companies must adhere to HIPAA regulations (U.S. Department of Health and Human Services, 2017).

2.4.3.1. Covered Entities and Business Associates

2.4.4. It is necessary to ensure that entities adhere to HIPAA regulations and follow protocol (Snell, 2018c).

2.4.4.1. HIPAA Data Breaches: What Covered Entities Must Know

2.5. Are there any existing informatics tools that can help be a solution to the critical incident. If so, what are they? Explain.

2.5.1. Programs which assist with encryption of patient data (Norwich University, 2017).

2.6. Can you propose any steps to a solutions effect a healthcare team?

2.6.1. Rather, if one were to come up with a solution, what aspects of informatics should be thought about? Ethics? Regulations? Explain

2.6.1.1. Proposed solution would be to hire a third party to begin reformatting security and privacy policies and regulations, create PMI information branch of company, create a plan of correction, educate company employees about HIPAA.

2.6.1.1.1. Ethics: Company would need to ensure solution to storing PMI is ethically appropriate.

2.6.1.1.2. Regulations would need to be followed: see section of current regulations/laws.

2.6.2. Does your proposed solutions align with HIPAA and the HITECH Act?

2.6.2.1. Yes.

2.6.3. What potential benefits to informatics will your solution bring

2.6.3.1. Updating company to meet regulations will benefit the company and prevent future data breaches.

3. Impact of Critical Incident

3.1. Agencies Involved

3.1.1. Division of Consumer Affairs

3.1.1.1. Consumer Affairs director stated that "'although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it... This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well'" (Donovan, 2018).

3.1.1.2. Involved in lawsuit.

3.1.2. New Jersey Attorney General

3.1.2.1. Involved in lawsuit.

3.1.3. Virtua Health Agency

3.1.3.1. Agency affected by privacy & security breach

3.1.4. New Jersey State Police

3.1.4.1. Incident reported to this agency initially (New Jersey Division of Consumer Affairs, 2018).

3.1.5. FBI

3.1.5.1. Incident reported to this agency initially (New Jersey Division of Consumer Affairs, 2018).

3.1.6. Best Medical Transcription

3.1.6.1. The company where the data breach occured.

3.1.7. Department of Health and Human Services’ Office for Civil Rights (OCR)

3.1.7.1. Representative for the public in investigating and upholding privacy and security regulations in healthcare (Office for Civil Rights, 2017).

3.1.7.1.1. HIPAA for Professionals

3.2. stakeholders

3.2.1. Stakeholders are impacted due to financial risk due to investment in the company. The company may lose credibility (Norwich University, 2017).

3.3. patients

3.3.1. Patients are affected because their PMI is exposed to hackers and they are vulnerable to fraud and theft of information. Not only that but their privacy has been invaded (Norwich University, 2017).

3.4. administrative staff

3.4.1. Administration is affected because they have potentially not met set standards for protection of PMI and may be held accountable for data breaches. If the company goes out of business due to a severe data breach their positions may be eliminated (Norwich University, 2017).

4. Evolution of critical incident

4.1. Has this critical incident and issue occurred in other fields

4.1.1. Emblemhealth data breach

4.1.1.1. The Social Security Numbers of over 80,000 people were exposed when EmblemHealth send mailers with the SSN instead of patient identification numbers showing in the envelope window. The company has had to pay over half a million in fines, complete a corrective action plan, and complete self-evaluation processes (Snell, 2018b).

4.1.1.1.1. EmblemHealth Data Breach Leads to $575K NY State Settlement

4.1.2. Fresenius Medical Care North America (FMCNA)

4.1.2.1. In 2012, five data breaches occurred in entities of Fresenius Medical Care North America (FMCNA). Data breaches were related to unauthorized access, poor protection of patient data physically and electronically, and inappropriate reaction to data breaches which occurred. The company has had to pay over three million, complete a corrective action plan, change policies and procedures, educate employees, complete a self evaluation of privacy and security, and start implementing encryption reports (U.S. Department of Health and Human Services, 2018b).

4.1.2.1.1. Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules

4.1.3. FileFax

4.1.3.1. FileFax, an agency which stored patient documentation for companies had to pay fines even after closing related to HIPAA violations. The company did not secure paper medical records, and some were stolen in 2015. During the investigation the company closed, but was still responsible legally and had to pay fines for HIPAA violations (U.S. Department of Health and Human Services, 2018a).

4.1.3.1.1. Consequences for HIPAA violations don’t stop when a business closes

4.1.4. Overall

4.1.4.1. Data Breaches for the first quarter of 2018 are almost doubled compared to the last quarter of 2017. Although the amount of data breaches has decreased, 77 since the start of 2018, their severity has increased. Over one million people's PMI has been accessed or stolen since 2018 began, with the most common cause listed as insiders accessing data (HIPAA Journal, 2018).

4.1.4.1.1. Report: Healthcare Data Breaches in Q1, 2018

4.2. Common Themes of Researched Violations & Virtua Violation

4.2.1. Break HIPAA violations

4.2.1.1. granting unauthorized access to PMI

4.2.1.2. Failure to protect and secure PMI physically and electronically (Norwich University, 2017).

4.2.2. Failure to address internally

4.2.2.1. Not following procedures in response to incidents (Healthcare Information and Management Systems Society, 2014).

4.2.2.1.1. Breach Notification Guidance under the HIPAA Omnibus Rule

4.2.3. failure to complete self-analysis of risk related to privacy and security

4.2.4. lack of employee training on HIPAA and protection of PMI

4.2.5. lack of oversight of entity or hired company privacy and security adherence to regulations

4.3. Did something happen that created this critical incident?

4.3.1. In January 2016, the private transcription company was updating its server, and accidentally allowed a site to be accessed without use of a password. The site served as a storage unit for PMI of up to 1650 patients. The company removed the files, but they were still available via google "cached" items. The company did not report the breach to VMG at the time. A patient discovered PMI on google and notified VMG on January 22, who then reported the breach to the New Jersey State Police and the FBI. The files were removed finally on February fourth after an investigation which found VMG was unaware of the breach when it was reported on January 22 Originally reported in 2016 by Virtua Medical Group in NJ. Lawsuit finalized in April 2018 (Donovan, 2018).

4.4. As technology and informatics evolve, how as the incident changed?

4.4.1. The incident was a breach of HIPAA policies put in place via the HITECH act to enhance protection of patient information when organizations are using information technology (Donovan, 2018).

4.4.2. The incident has changed the climate of organizational accountability; in that organizations must be responsible for all of their operations and ensure that these are following regulations (Office of Attorney General, New Jersey, April).

4.5. How has this critical incident evolved?

4.5.1. The incident led to a lawsuit, wherein Virtua Medical Group had to pay a half a million dollar payment to New Jersey, hire a third party to audit and maintain regulatory compliance, and complete a corrective action plan (Office of Attorney General, New Jersey, April).