The theft of an iPhone belonging to an employee of the Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia sparked a hot-button breach of protected information case that appears to have been resolved. As of July 7th, 2016, a settlement was reached between the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and the CHCS of Philadelphia, which is a partner under the Health Information Portability and Accountability Act (HIPAA). The CHCS employee’s iPhone was not password protected or encrypted and contained a significant amount of sensitive data on roughly 400 nursing home residents. Information included Social Security numbers, medical diagnostic and treatment information on the residents, their medications, medical procedures, names of family members, and more. The settlement payout was $650,000, also regarded as a fine levied.
Is Your Information at Risk?
This is the damage that the theft of just one unencrypted iPhone can do. Most people don’t carry around all that sensitive data on hundreds of people, but for employees of companies, it’s a different matter. We have spoken on this blog before of the urgent need for corporations, LLCs, SMEs, and other organizations to safeguard their telecommunications hardware with mobile device management (MDM) strategies that protect from situations like the case cited in this article. Really, any company that has any number of employees using company mobile devices is at risk of data theft and exploitation.
A Brief History of Cyber Theft
Back in February 2014, the Office for Civil Rights at the Department of Health and Human Services received notices from 6 different nursing homes in Philadelphia affected by the CHCS employee’s iPhone theft. The OCR considered the theft blatant disregard of the HHS bylaws and the HIPAA Security Rule pertaining to personal health information (PHI) protection. “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain or transmit from covered entities,” Jocelyn Samuels, OCR Director, said in a statement. The HHS and HIPAA partner with and watchdog organizations they feel would put their patrons at high risk of liability should they default on PHI restrictions. But, is enough being done to make sure compliance happens? Clearly, the answer is no. This is not the only case of device theft and cybersecurity breaches causing significant liability and damage to many because simple IT security safeguards were ignored. The OCR has also just settled a $2.7 million case stemming from two 2013 health information data breaches within Oregon University.
Preventative Action or Corrective Action
Preventative action or corrective action–one of these situations costs far less than the other. Just ask Japan, a nation now scrambling to put up cybersecurity defenses after it got caught having ignored proper IT security measures. They are now spending millions on corrective action, as is the nation of India, as well as other territories and organizations, like the CHCS of Philadelphia. You don’t want to be on that list–especially when storing personal health information and other customer data in your files. Putting proper cybersecurity and data protection measures in place before disaster occurs is critical. IT security disasters can include any of the following:
403Tech Inc is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (403) 215-7506 or send us an email at [email protected] for more information.