Why Your Vendor’s Errors Could Cost You Millions in HIPAA Fines

Rebecca YarbroughMay 3rd, 2019

Data breaches usually don’t involve a dark room with a hacker in a hoodie hunched over a computer. “Some industry researchers predict that 80 percent of cloud data breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, rather than cloud provider vulnerabilities, by 2020” according to Mark Johnson in an article by Data Breach Today.

If you’re in the healthcare space, this is particularly serious because HHS requires companies to announce these HIPAA data breaches, even if there’s no evidence that anything nefarious was even done with the breached healthcare data.

Last year was a year of “record” fines — some $25 million for several exposures and breaches, including $4.3 million in fines to the University of Texas for an inadvertent disclosure of encrypted personal health data, and a settlement by Fresenius was for $3.5 million following five separate breaches,” according to Zack Whittaker with TechCrunch.

Many of the HIPAA data breaches on the HHS Wall of Shame are a direct result of the provider giving full access to unencrypted data to a vendor or employee, relying on them to secure it properly, and then being liable when that didn’t happen.

Here, we’ll look at three breaches that could have been prevented with end-to-end encryption or multi-party encryption scheme in the database.

A misconfigured Elasticsearch database exposed over six million records with patient healthcare data

Most healthcare companies rely on electronic medical records (“EMR”) systems to manage the security of their patient’s PHI. But EMR Meditab didn’t password-protect the server containing the faxes sent over its system for almost a year and didn’t encrypt the files within the server. According to TechCrunch, Meditab claimed to be HIPAA compliant but “anyone could read the transmitted faxes in real-time — including their contents. The faxes contained a host of personally identifiable information and health information, including medical records, doctor’s notes, prescription amounts and quantities, as well as illness information, such as blood test results. The faxes also included names, addresses, dates of birth, and in some cases Social Security numbers and health insurance information and payment data, as well as personal data and health information on children.”

A “coding error when data was being moved onto a new server” exposes health records for almost a million patients at UW Medicine

A misconfigured database left patient data exposed on the internet for several weeks and resulted in a breach affecting 974,000 individuals, as reported by Data Breach Today. Incredibly, the mistake was discovered by a patient who was conducting a Google search for their own name and found a file containing their information. Once regulators confirm the details and add the incident to the HHS website, it could be the largest health data breach reported so far in 2019.

Insurer WellPoint pays $1.7 million for “temporary security lapse during a system upgrade by a third-party vendor”

According to reporting by Data Breach Today, the HHS Office for Civil Rights says its investigation into the WellPoint breach focused on security weaknesses in an online insurance application tracker database that left the electronic protected health information of more than 612,000 individuals temporarily accessible to unauthorized individuals over a website. That data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.

Even though none of these breaches had any evidence that the data was used maliciously or in an unauthorized fashion, they all had to report the incidents to HHS to be publicly posted on the online Wall of Shame.

Compliance with HIPAA is not a one-time thing. It’s an ongoing system and mainly impacted by human behavior. With the stakes this high, you cannot risk your company’s reputation and financial security by trusting that third-party vendors, employees without proper certifications, or anyone else with access to your database will not make mistakes. Instead, your security decisions can be simplified with zero-trust end-to-end encryption.

Locking up data with cryptographic tools like end-to-end encryption and PureKit can prevent the negative impact of negligent human behavior. Because any potential third parties are handling scrambled, encrypted data without the technical ability to decrypt it, the potential damage is typically lessened. If the data had been end-to-end encrypted in the HIPAA data breaches above, it might not have been necessary for any of these companies to report the breach to HHS at all.

How to get started?

Explore Virgil Security’s tools for HIPAA compliance here. Developers can sign up for a free Virgil Security account and learn how to implement end-to-end encryption and PureKit use cases here in the documentation.

Want to learn more? Contact us to talk about your use case and how to send and store ePHI in a HIPAA-compliant manner.

Virgil Security, Inc. builds developer toolkits that solve business problems by encrypting data and therefore lessening legal and compliance liability. Teams can secure their application data with end-to-end encryption, manage devices across a network, and secure passwords and PII in the database using Virgil’s suite of open source SDKs. To learn more, visit https://VirgilSecurity.com.

Previous
HIPAA Compliance with Virgil Security: Flexible Tools to Secure ePHI
Rebecca YarbroughApril 12th, 2019