Those who do not learn history are doomed to repeat it. This quote, attributed to the philosopher George Santayana, may sound a bit ominous and foreboding, but it is nonetheless true. In fact, the strength of current IT systems and the security of data information is based on the fact that over the years, we've noticed exploitable flaws and have since addressed them to perfect information security.Even today, hackers and thieves are finding new ways to find their way into organizations' sensitive information. So, to help ensure that you don't make the same mistakes, here are three famous HIPAA lawsuits and how you can avoid falling into the same traps they did.
UCLA School of Medicine
In 2010, a former UCLA Medical Center researcher was sentenced to four months in federal prison. The reason? The ex-researcher had illegally accessed UCLA medical records over 300 times. He viewed the health records of his past supervisors, coworkers, and even several celebrities including Tom Hanks and Leonardo DiCaprio. On top of his four months, he also received a $2,000 fine.
While the University was ultimately not held responsible for the actions of a disgruntled former employee, this court case shows the extent to which an organization needs to go to secure its information. Your systems should be secure enough so that only those who are supposed to have access to classified information do, and those that shouldn't (such as past employees) do not have that access.
The lesson to be learned here? Ensure that your classified and personal organization information is, in fact, secure, especially from people who were once a part of your team but are no longer there. Your IT systems should be adaptive enough to handle employee turnover. While we hope that your employees would never do something like this, you can never be too careful.
Downers Grove Advocate Health Care
Downers Grove had to pay $5.5 million to settle claims that the health care organization had violated HIPAA. Downers Grove went through three separate data breaches, starting in 2013 when four laptops were stolen from one of their offices during a burglary. Not more than a few months later, an outside party accessed one of Downers Grove networks, potentially compromising more than 2,000 patients' information.
After conducting an investigation, the OCR concluded that Advocate failed to assess the risks of its ePHI, restrict physical access to its IT systems, receive written record that its associates would protect Advocate's ePHI and guard an unencrypted laptop while it was in an unlocked car overnight
An investigation into the breaches concluded that Downers had failed to properly assess the risks of their electronic protected health information, as well as limit the physical access to its data, and guard an unencrypted laptop while it was in a car overnight.
What should we take away from this illustration of negligence? Just that. Don't be negligent with your confidential information. Always assume that there is someone out there trying to get at your data. Take the extra precautions, be careful, be diligent, and make sure that you have the necessary safeguards to avoid having to pay a fine of this magnitude yourself.
Oregon Health & Science University
Well, it wasn't as bad as $5.5 million, but the Oregon Health & Science University did have to pay $2.7 million as well as work through a three-year corrective action plan. This happened after a federal investigation found "widespread and diverse" problems with their data protection systems.
Between 2012 and 2016, there were four data breaches that involved more than 500 individual's information, as well as the storage of data on more than 3,000 others.
The investigation concluded that 1,361 of the 3,000 individuals were at risk due to the sensitive information of their diagnosis. In addition to diagnoses, the data exposed credit card and payment information, procedures, photos, driver's license numbers, and Social Security numbers, the OCR statement said.
Similar to the previous case, this case is all about making sure that you're information technology is secure and impenetrable by anyone outside of the organization who shouldn't have access to sensitive information.
Call Medicus IT to Secure Your Information
At Medicus IT, we work with healthcare providers to solidify their security systems and provide them with the assurance that their information is protected. As a leading healthcare IT support provider in the United States, we