In a case that serves as a cautionary tale of the consequences of lax health data security, HHS announced that wireless health services provider CardioNet has agreed to pay $2.5 million after its insufficient data protection led to personal health information being stolen.
In a case that serves as a cautionary tale of the consequences of lax health data security, HHS announced that wireless health services provider CardioNet has agreed to pay $2.5 million after its insufficient data protection led to personal health information being stolen.
According to a press release from the HHS Office for Civil Rights (OCR), the case centered around a violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. In 2012, a laptop containing the personal health data of nearly 1400 people was stolen from a CardioNet employee’s car. The theft was reported to the OCR, but a subsequent investigation found that the wireless health services provider “had an insufficient risk analysis and risk management processes in place at the time of the theft.”
CardioNet, which monitors and responds to patients’ cardiac arrhythmias using mobile technology, had not implemented any safeguards for the protection of personal health data, including on mobile devices, nor did it have policies in place to comply with the HIPAA Security Rule.
In the agreement reached this month, CardioNet settled the violations by paying HHS $2.5 million and agreeing to follow through on a corrective action plan designed by the company and OCR to prevent future HIPAA violations. CardioNet must now conduct a thorough security risk analysis, develop and enact a risk management plan, implement secure device and media controls like data encryption, and review and revise its data security and handling training program for employees. All of these steps must be monitored and approved by HHS.
The action plan also included requirements that CardioNet alert HHS to any potential violations that could be considered a reportable event and submit an annual report that assesses and updates its data security strategy. If it breaches any of the agreement components, it could be subject to a fine imposed by HHS.
The press release from OCR was titled “$2.5 million settlement shows that not understanding HIPAA requirements creates risk,” potentially as a warning to other mobile health providers that privacy and security rules violations will be taken seriously. It noted that this was the first settlement that involved a provider of wireless health services.
“Mobile devices in the healthcare sector remain particularly vulnerable to theft and loss,” said Roger Severino, director of OCR, in the statement. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
A survey released this month of 125 health information technology professionals at various health systems confirmed that businesses understand the importance of data security awareness among their employees. Almost 80% of respondents said employee security awareness and culture was their source of greatest concern in terms of exposure to a security threat. The most commonly reported practices in place to mitigate these risks were remote access controls, employee security awareness programs, and security consulting services to assess vulnerabilities.
Issues in healthcare cybersecurity—including the challenge of balancing patients’ rights with system protections—will be featured in a session of next week’s meeting of the ACO and Emerging Healthcare Delivery Coalition in Scottsdale, Arizona. To register, visit our conference page at ajmc.com.
Empowering Community Health Through Wellness and Faith
April 23rd 2024To help celebrate and recognize National Minority Health Month, we are bringing you a special month-long podcast series with our Strategic Alliance Partner, UPMC Health Plan. In the third episode, Camille Clarke-Smith, EdD, MS, CHES, CPT, discusses approaching community health holistically through spiritual and community engagement.
Listen
What We’re Reading: Abortion Privacy Rules; Alzheimer Drug Hurdles; Nursing Home Staffing Overhaul
April 23rd 2024New health privacy rules aim to protect patients and providers in an evolving abortion landscape; some physicians express concerns about efficacy, risks, and entrenched beliefs in treating Alzheimer disease; CMS addresses longstanding staffing deficits in nursing homes.
Read More
Overcoming Employment Barriers for Lasting Social Impact: Freedom House 2.0 and Pathways to Work
April 16th 2024To help celebrate and recognize National Minority Health Month, we are bringing you a special month-long podcast series with our Strategic Alliance Partner, UPMC Health Plan. Welcome to our second episode, in which we learn all about Freedom House 2.0 and the Pathways to Work program.
Listen
Survey Results Reveal Potential Factors Slowing the Decline in Cardiovascular Mortality Rate
April 23rd 2024Research indicated that worsened glycemic, blood pressure, and obesity control, as well as increased alcohol consumption, leveled lipid control, and persistent socioeconomic disparities may have contributed to the decelerated cardiovascular mortality decline in recent years.
Read More
Award-Winning Poster Presentations From AMCP 2024
April 23rd 2024At the Academy of Managed Care Pharmacy (AMCP) 2024 annual meeting, multiple poster presentations concerned with health equity, data collection, glucagon-like peptide-1 agonists, and more were acknowledged for their originality, relevance, clarity, bias, and quality.
Read More