After the data breach that affected L.A. County, the decision has been made for local administrations to encrypt healthcare data in order to protect the information they hold on state residents.
Many healthcare organizations only give serious consideration to encrypting healthcare data after they have been hit by a data breach or have lost an electronic device containing the Protected Health Information of patients. The importance of encrypting healthcare data is often only realized after a major breach occurs.
Healthcare data encryption is not mandatory under the Health Insurance Portability and Accountability Act, but it is a protection that must be addressed. HIPAA-covered organizations must consider encrypting all stored data, but if an organization believes it can offer a similar level of protection using other technical safeguards, it is free to do so.
HIPAA-covered entities must also encrypt healthcare data in transit, whether it is via email attachments, text messages between doctors or PHI communications using other messaging platforms.
The decision not to encrypt data can be a costly one. Following a data breach involving more than 500 individuals, the Office for Civil Rights conducts an investigation to assess whether the breach was preventable and if it was caused by HIPAA violations.
The OCR requires documented evidence of the measures used as an alternative to secure data, and if these protections are deemed to be insufficient, it is likely to issue a stiff financial penalty. The fine can be as high as $1.5 million per year, per violation.
L.A. County will be aware it may be facing a significant fine after the theft of 8 computers exposed the healthcare data of 342,197 patients. The theft took place at Sutherland Healthcare’s Torrance facilities in March this year and as investigations into the data breach continue, the victim count continues to rise.
At first it was thought that the breach was limited to 168,500 patients, although 170,200 more patients were found to have had their information stored on the stolen computers. Now another batch of data has been identified as being in the data set, adding another 3,497 victims to the total.
The theft of equipment is a criminal matter and one for law enforcement officers to pursue; however if all healthcare data is encrypted, thieves would not unable to access the data stored on the devices and there would be no HIPAA violation.
L.A. Country did not protect the data, and therefore the thieves could potentially gain access to the highly confidential medical information, personal information and Social Security Numbers of all 342,197 patients.
L.A. County has now instructed local administrations to encrypt healthcare data to ensure that further breaches of this nature cannot occur. It will be encrypting healthcare data from now on and will be reviewing all of its data privacy and security policies and procedures to ensure its patients are afforded the proper protections to keep their healthcare data secure. It has also announced that it will encrypt healthcare data in transit between L.A. County and all of its Business Associates and contractors.
We expect this incident will be the trigger for other local administrations to encrypt healthcare data to ensure that hackers and thieves are prevented from gaining access to confidential medical and personal information.