The purpose of this blog is to educate the reader on HIPAA and provide helpful tips that will help you remain compliant with the law. This post focuses on the breach of a California government agency, which has experienced the largest HIPAA breach of 2018. The agency was ransacked by thieves who may have the ability to access and expose PHI.
The largest HIPAA breach of 2018 occurred back in February and potentially affects over 582,000 individuals. The California Department of Developmental Services was the victim of a break-in and theft by vandals who stole 12 government computers and also had access to protected health information (PHI).
It’s unknown whether the thieves have malicious intent for the compromised PHI or if they’re still able to access it. The CA agency reported the breach to OCR in early April and sent letters to all affected patients warning them that their information may have been compromised, which is compliant with the allotted time frame under HIPAA and may lessen any consequences they may face.
There has been no official case or settlement since the breach occurred, but we can make an educated guess on what fines the CA agency may face should that information be leaked by the thieves. We know that the breach was caused by an outside threat, and the information was stolen from government computers, which likely had many security measures in place to prevent the exposure of any PHI. We don’t know if the PHI was properly encrypted to further secure the information, but that is likely what will define this as a case of due diligence or reasonable cause.
In the case of due diligence, fines range from $100 to $50,000 per fine, assuming this isn’t a repeat offense, which would instead raise the amount to $25,000 to $1.5m per fine.
If this case were to be classified under reasonable cause, the amount of the fines would range from $1,000 to $100,000 per fine, or $50,000 to $1.5m per fine if this were a repeat offense.
There’s no evidence suggesting that the CA agency has experienced a HIPAA breach in the past, so we can be confident that they’d received a relatively lower fine then if this were a repeat offense.
Let’s assume that in the case of due diligence, they’d receive a penalty of $100 per violation and a penalty of $1000 in the event that it’s classified as reasonable cause. There were 582,174 potentially affected individuals. That would bring the entire fine between $58m and $582m approximately.
HIPAA breaches can always teach us something valuable. Here are a some helpful tips to ensure that you remain compliant with the law.
1. Ensure that all of your computers are password protected.
2. Never share passwords to ensure that PHI does not get into the wrong hands.
3. Control who can access certain information.
4. Encrypt any data stored on a computer or network. This ensures that hackers can’t read and expose any PHI.
5. In the event that PHI is potentiality or definitely compromised, take all necessary steps to notify effected patients as well as the OCR. Not only is that the lawful and moral things to do, but it can also reduce the fines you may receive.