Chat with us, powered by LiveChat

Adult & Pediatric Dermatology Fined $150,000 For Lost Thumb Drive

thumb driveRecently a dermatology practice learned that something so small could be very costly.

Adult & Pediatric Dermatology, P.C., of Concord, Mass., lost a thumb drive, which doesn’t seem like a huge deal except that specific thumb drive was unencrypted and contained the electronic protected health information of about 2,200 individuals.

The US Department of Health and Human Services Office for Civil Rights received a report that the thumb drive was stolen from an APDerm employee’s vehicle and never recovered. After conducting its investigation, OCR and APDerm agreed to a $150,000 penalty. APDerm received this HIPAA penalty because it not only lost the thumb drive but also because the dermatology practice didn’t identify it in a HIPAA risk analysis nor had it managed the risk so its patients’ data was protected.

Besides paying the $150,000, APDerm was given a corrective action plan that requires it develops a risk analysis and management plan that addresses and alleviates any security risks and vulnerabilities, and it must give OCR an implementation report once the plan is completed.

There are three ways this practice could have prevented this from happening:

  1. Don’t put your protected data onto a remote or portable device since those can be easily lost or stolen. Use a secure remote access tool if you need the information outside of your office.
  2. Encrypt all of your data to protect your patients and your practice. Use encryption for all devices, portable and stationary.
  3. Have a risk analysis done by a professional. It’s cheaper to hire a professional to do the analysis for you than to do it yourself and risk receiving a HIPAA penalty.

If you’re a healthcare provider, be sure to follow these steps. If not, you risk following in the footsteps of APDerm and costing your practice lots of money and time, as well as your reputation, from something as small as a thumb drive.


Atlanta Children’s Hospital Fires and Files Suit Against Executive

According to a recent report,  an award-winning Atlanta children’s hospital recently fired and filed suit on one of its former top executives for allegedly stealing hospital data.

Children’s Healthcare of Atlanta filed a complaint in Atlanta federal court on Oct. 25 against Sharon McCray, who was its corporate audit adviser, claiming she stole a considerable amount of proprietary information.

The list of data McCray is alleged of stealing includes patient health information of children, DEA numbers, financial information, state license numbers for more than 500 health care providers, along with other private information of Children’s.

McCray, who was an employee since 2000, announced her resignation to Children’s on Oct. 16, which was to be effective Dec. 20.

It was only two days later the hospital noticed McCray had been emailing its protected health information to her personal email account. Children’s claimed McCray started emailing herself this information the day she announced her resignation and then continued through Oct. 21, when the hospital shut off her access to her corporate email account.

A meeting occurred between Children’s and McCray on Oct. 21 where she admitted to emailing information to her personal email account. The next day, McCray was fired.

Children’s Healthcare of Atlanta, which has been a renowned pediatric facility since 1998, requested McCray give back the information. But she has yet to do that, so Children’s is asking a federal judge to force McCray to do so.

Privacy breaches In VA Health Records Wound Veterans

With HIPAA being enforced more stringently recently there have been a number of cases where health providers are facing HIPAA related fines or lawsuits. The most recent is none other than the U.S. Department of Veteran Affairs.

While some previous cases seemed unintentional or simple mistakes, according to a Pittsburgh Tribune-Review investigation there were widespread violations at the VA. The investigation stems from a former VA employee who claims the privacy of her medical records was abused.

The subsequent investigation found there were an astounding 14,215 violations that affected 101,018 veterans and 551 VA employees at 167 facilities since 2010. These violations included using patient information for fraudulent purposes, snooping through patient records and even sharing records publicly on social media as well as privately without patient consent. This sharing of records was both intentional and unintentional but nonetheless violates HIPAA provisions. There were even previously stolen computers and lack of encryption that led to problems concerning patient record privacy.

The list of violations and problems within the VA seem to be systemic. The investigation made a number of recommendations to fix the root causes of these problems but it remains to be seen how effective the VA’s efforts to do so will be in the future.

Without a doubt protecting the privacy of medical records should be paramount for any medical provider, even more so for the Veterans who’ve helped this country. A thorough HIPAA risk analysis and HIPAA compliance software solution can go a long way in preventing these types of systemic issues within the VA and helping other medical providers be HIPAA compliant.

Advocate Medical Sued for Breach of Patient Electronic Medical Records

For something as simple as “plain old know better,” $50,000 or more could be the penalty for a breach of HIPAA law from Advocate Medical in Illinois. This breach has been described by the prosecuting attorney, Shannon M. McNulty, as a failure “to follow basic operating procedures”.

The law suit has been filed due to the loss of patient records stored on a computer that was stolen in July 2013. The computer could have the records of nearly 4 million patients stored on its hard drive. This information could contain names, Social Security numbers, addresses, birth dates, medical records, and insurance information. The breach gives the thieves access to information that they could use to perform identity theft and fraud.

Advocate Medical stated in their defense that they believe the thieves did not have the private, sensitive information stored on the computer as their target. Because they believe there is a lack of evidence to show that the lawsuit has no merit Advocate Medical believes that they will win the suit.

Unfortunately, for Advocate Medical, the HIPAA laws are clear. And for an entity as large as Advocate Medical, there is very little understanding when it comes to trying to prove ignorance.

You can read the full release at

HHS Settles With Affinity Health Plan Inc. In Photocopier Breach Case

Affinity Health Plan, Inc., a not for profit, will settle prospective violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780 with the U.S. Department of Health and Human Services. HIPAA covered entities, like Affinity, are require to report to Health and Human Services when protected health information has been disclosed.

CBS evening news did an investigatory report in which they purchased photocopiers that had previously been leased by Affinity. In so doing CBS found that confidential medical information had never been erased from the hard drive. Affinity filed a breach report after CBS informed them of the medical information found on the hard drives.

Affinity revealed without consent protected health information of an estimated 344,579 individuals when it returned multiple photocopiers to leasing agents before confidential customer information had been removed from hard drive.

Affinity has an agreement of a settlement of $1,215,780, to take precautions to guard electronic protected health information, and to attempt to recover all hard drives that were used on the leased photocopiers. You can read more about the agreement here.

Make sure that your data is secure and that you mitigate as much risk as possible by engaging with HIPAA One.