Opportunity Lost, Lesson Learned: OCR’s $3.2 Million Message to Children’s Medical Center

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced on February 1, 2017, that it imposed a $3.2 million civil money penalty against Children’s Medical Center of Dallas (“Children’s”) for impermissible disclosure of unsecured electronic protected health information (ePHI) and many years of non-compliance with multiple standards of the HIPAA Security Rule. What makes this case particularly painful is that it appears Children’s had many opportunities to mitigate its noncompliance–and to lessen the penalty–but failed to fully take advantage of those opportunities.

Eleven years ago, in 2006, one year after the HIPAA Security Rule took effect, Children’s retained a third party to conduct a security gap analysis and assessment. That assessment identified the absence of risk management as a major finding. The third party consultant recommended that Children’s implement encryption to avoid loss of ePHI on stolen or lost laptops. Recommendation not taken.

In 2008, Children’s engaged a different third party vendor to conduct a separate analysis of threats to ePHI. That vendor also determined that encryption was necessary and appropriate, and identified the loss of data at rest through unsecured mobile devices as being a high risk for Children’s. Although required by the HIPAA Security Rule, Children’s failed to document its decision to not implement encryption or any applicable rationale behind a decision to use alternative security measures.

Time passed. No encryption. You guessed it.

In January 2010, Children’s filed a breach report with OCR regarding the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport, exposing the ePHI of approximately 3,800 individuals.

In December 2010, a Children’s medical resident lost an iPod device that had been synched to the resident’s Children’s email account, resulting in the unencrypted ePHI of 22 individuals being placed on the device.

In 2012, OCR issued the findings of its audit of Children’s identifying, among other things, insufficient controls for devices, including smartphones and USB drives.

In July 2013, Children’s filed another HIPAA Breach Notification Report with OCR, reporting the April 2013 theft from its premises of an unencrypted laptop containing ePHI of 2,462 individuals. Although Children’s had implemented some physical safeguards to its laptop storage area (e.g., badge access and a security camera at one of the entrances), it had allowed janitorial staff unrestricted access to the area where the laptop with unencrypted ePHI was stored. Children’s internal investigation concluded that the laptop was probably stolen by a member of the janitorial staff.

OCR’s subsequent investigation of Children’s revealed lack of policies, lack of device and media controls, failure to implement risk management plans, contrary to prior external recommendations to do so, and failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 2013, when the laptop theft occurred. OCR noted that, despite Children’s knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.

OCR issued a “Letter of Opportunity” to Children’s in May 2016, noting that OCR’s efforts to resolve the matter by informal means had been unsuccessful. In response, Children’s put forth a defense to OCR’s allegations but to no avail. By law, for violations occurring after February 2009, OCR could not impose a civil money penalty on Children’s if Children’s could establish to OCR’s satisfaction that the violations were not due to willful neglect and were corrected during the 30-day period beginning on the first date it knew, or, by exercising reasonable diligence, would have known that the violation occurred. However, Children’s had not made corrections of its violations within that timeframe.

In September 2016, OCR notified Children’s of its findings and the proposed penalty. OCR had considered as aggravating factors the amount of time that Children’s continued to use unencrypted devices, even after express recommendations of consultants and the OCR that encryption was necessary for ePHI security. The notification included instructions for requesting a hearing to challenge the proposed penalties. Children’s did not request a hearing.

On January 18, 2017, OCR issued a notice to Children’s that the full civil money penalty of $3.2 million was final.

Children’s did the compliant thing, back in 2006 and 2008, to conduct security risk assessments. Ignoring the results of such risk assessments is a common failure of HIPAA covered entities and their business associates. Children’s learned the hard way that not implementing recommended measures, such as failing to implement encryption and device controls, and not correcting violations that come to light, may seem like the right (or the economically sound) decision at the time, but can prove to be extremely costly in the end. Especially if you just keep doing it.

For advice on security risk assessments, policies and protocols, and corrective action plans for security violations, contact Denise L. Sanders, Esq., shareholder at Capehart Scatchard, who regularly advises healthcare providers and vendors on requirements of HIPAA Privacy and Security and federal and state Data Breach Notification rules.


It’s Not Just Ransomware – It’s a Breach!

Ransomware.  It’s in the headlines, but what is it?  Recently, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) provided a layperson’s description:

Ransomware is a type of malware (malicious software) that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.

The description is included in a Fact Sheet on Ransomware and HIPAA (the Health Insurance Portability and Accountability Act), containing OCR’s guidance to healthcare entities on how to guard against ransomware and how to respond to a ransomware attack. The Fact Sheet notes that, on average, there have been 4,000 daily ransomware attacks since early 2016, a 300% increase over the 1,000 daily ransomware attacks reported in 2015.  And these are only the reported attacks.

The Fact Sheet provides extensive and detailed guidance on how entities subject to HIPAA should be protecting against ransomware. If safeguards have been put in place as required by HIPAA, ransomware should be less likely to occur and less likely to be devastating to an entity.  But of note in the guidance is the discussion of what else ransomware can be—a breach.  Specifically, a breach of protected health information (PHI) that must be reported as required under applicable law.

The scenario set forth by the OCR is where a laptop, encrypted with a full disk encryption solution, is powered on and in use by an authenticated user, who then performs an action (clicks on a link to a malicious website, opens an attachment from a phishing email, etc.) that infects the laptop with ransomware. If full disk encryption is the only encryption solution in use to protect the PHI, and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted to the hacker with the same access levels granted to the user.

Because the file containing the PHI was decrypted and thus constituted “unsecured PHI” at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed.  In that case, the victimized entity must conduct the required assessment to determine if breach notification must be provided to all affected persons and to applicable authorities.

The OCR’s analysis (and the U.S. Government Interagency Guidance Document, referenced here in How to Protect Your Networks from Ransomware) should be heeded by any business that holds personal information in electronic form. That’s because state identity theft prevention laws, as well as certain federal laws, apply to such businesses. And those laws contain security mandates and breach notification obligations similar to what is required of healthcare entities under HIPAA.

Ransomware is a formidable challenge and potentially devastating to a business.  And breach notification is usually a substantial and costly undertaking.  All businesses—not just healthcare entities—that maintain personal information in electronic form, should take the threat of ransomware seriously and implement the necessary policies, procedures and technical safeguards to guard against it.  The OCR’s guidance can be found on the ransomware fact sheet.