Lone Star Circle of Care HIPAA Breach Caused By Actions of Business Associate

News has emerged of a Lone Star Circle of Care HIPAA Breach which has affected approximately 8,7000 individuals. The community health clinic in Georgetown, Central Texas, has begun sending breach notification letters to all affected individuals to alert them to a data breach which has resulted in their personal information being exposed and accessed by a number of unknown individuals.

Lone Star Circle of Care HIPAA Breach Could Easily Have Been Prevented

Ironically, the HIPAA compliance breach was caused by a third party contractor that had been employed to maintain and secure the healthcare providers website. Lone Star CEO, Rhonda Mundhenk, confirmed in a statement that the company responsible had “been let go”, although she declined to mention the name of the company involved.

The data breach has affected approximately 6,300 patients and 2,400 other individuals who had entered information into contact forms on the company website.  This data was inadvertently backed up and the file was saved in a directory which was accessible through the website’s search facility, although the file was not directly linked from any page on the website.

The error was attributed to the actions of an employee of the Business Associate on 31st July 2014. LSCC did not became aware of the HIPAA breach until 9th January 2015, and immediately following the discovery the file was removed, although not in time to prevent some or all of the information it contained from being viewed by an undisclosed number of persons. LSCC confirmed that the data could possibly have been downloaded but it did not divulge whether this had in fact occurred.

Lone Star Circle of Care offers medical services to close to 80,000 residents in the Central Texas area. The non-profit organization mainly provides those services to low income individuals and people who cannot afford health insurance.  The Lone Star Circle of Care HIPAA Breach only affects individuals who have previously made contact with the healthcare provider via its online patient portal.

Medical data is stored elsewhere and was not present in the back up file and LSCC confirmed that no financial information was exposed at any point during the data breach, although 5 full or incomplete Social Security numbers were present in the file.

The full text of messages entered via the portal was contained in the file, which mostly pertained to appointment, refill and call back requests. Approximately a quarter of the messages came from job seekers and businesses. Contact information was also exposed, which included names, addresses, email addresses, telephone and mobile numbers, together with some dates of birth.

Potential Action for HIPAA Violations

The OCR investigates data breaches and can issue fines if data has been exposed as a result of a violation of HIPAA Rules. Fines range from $100 to $50,000 for a company that has unknowingly caused a data breach, while the minimum fine is $1,000 if there was “reasonable cause”.  A penalty of at least $50,000 can be issued if the breach was the result of willful neglect.

The nature of a breach, its seriousness, and the number of persons affected are taken into consideration by the OCR when deciding on the appropriate penalty. This is not the first Lone Star Circle of Care HIPAA Breach to be reported recently. Last year a laptop was stolen exposing the data of 1,955 patients – and this too will be considered should the OCR decide that a financial penalty to be appropriate.  According to the financial penalty structure laid down in the Omnibus Rule, a maximum penalty of $1,500,000 can be issued for a HIPAA violation.

The Omnibus Rule also requires all business associates of HIPAA –covered entities to sign Business Associate Agreements in which the BA must agree to comply with HIPAA Privacy and Security Rules. Business Associates are accountable for their actions – or lack of them – and can be held liable for any HIPAA breaches that they cause.

In this case it would appear that the business associate in question failed to implement the appropriate administrative and/or technical controls to secure the data – which includes personally identifiable information protected under HIPAA – and appears to be a clear violation of the Security Rule, although this is a matter for the OCR to determine during its investigation. The business associate could therefore be fined for the HIPAA breach, as could LSCC if it has failed to issue a BAA or is otherwise discovered to have violated HIPAA.

HIPAA data breaches affecting more than 500 individuals must be reported to the Office for Civil Rights within 60 days, and all persons affected by the data breach must similarly be issued with a breach notification without unnecessary delay.  After the Lone Star Circle of Care HIPAA Breach, 6,300 patients were notified of the incident although notification letters were delayed by 6 weeks.

The delay was attributed to the time it took for a forensic analysis to be conducted to determine how the breach was caused, the time the data was exposed and who had been able to access the information. It also took time to verify the contact information of victims, arrange credit monitoring services and translate all appropriate information into Spanish.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news