The importance of providing staff training on HIPAA Privacy and Security Rules has been highlighted by a recent breach at New York health insurer, Senior Health Partners.
The company has just announced that approximately 2,700 of its members have potentially had their data exposed after two mobile devices were stolen from the apartment of a nurse employed by one of its Business Associates, Premier Home Health. The nurse was provided with a laptop computer which used data encryption software to protect the contents, in full compliance with data security rules.
However, in a breach of company policy, the security key to unlock the data was kept in the laptop case, and this was also stolen in the break in. The Smartphone used no mobile phone encryption and had no security software installed and the thieves potentially have access to its entire contents.
SHP commissioned a forensic analysis of the breach to determine the data exposed and the likelihood of it being viewed or used inappropriately. The investigation found that some data was accessible via an email attachment, although it could not determine whether the information had been viewed or copied without access to the device itself.
The investigation did confirm the extent of data exposed. The data included Social Security and Medicaid ID numbers, health insurance claim numbers, dates of birth, phone numbers, medical services rendered and diagnoses of medical conditions. One person also had a Medicaid plan, eligibility, and program information exposed, along with third-party administrator information.
All affected individuals have been contacted and are being offered credit monitoring services together with identity fraud protection for one year, and if they become victims of fraud, they will receive a free credit repair service.
HIPAA does not demand data encryption but SHP deemed it necessary to use it. This was not sufficient to prevent the breach as training had either not been provided to the staff or the importance of keeping secured devices and security keys separate had not been understood.
The incident shows how even the best protections can be easily undone and why it is so important to provide staff training on HIPAA privacy and security rules. Healthcare providers and insures must also take steps to ensure that policies and procedures are followed.