Earlier this month, the New York State Attorney General announced a settlement agreement with the University of Rochester Medical Center (URMC) about a data breach earlier this year. URMC will pay a $15,000 find and is required to train its staff on proper data security procedures for protected health information.
The settlement agreement was dated November 20, 2015. The April 2015 events surrounding the data breach:
"... a URMC nurse practitioner gave a list containing 3,403 patient names, addresses, and diagnoses to her future employer, Greater Rochester Neurology (“GRN”), without first obtaining authorization from the patients. On April 21, 2015, GRN used the information to mail letters to the patients on the list informing them that the nurse practitioner would be joining the practice and advising them of how to switch to GRN. URMC learned of the breach three days later, when calls began coming in from patients who were upset about the letter. The nurse practitioner was subsequently terminated, notification letters were sent to the affected patients... GRN has attested that all health information transmitted by URMC has been returned or deleted."
State attorney generals were empowered by law in 2009 to enforce Health Insurance Portability and Accountability Act (HIPAA) violations. Hospitals are required by law to provide patients with a Notice of Privacy Practices document, which patients and their families should read. Read the URMC NPP (Adobe PDF).
This is not the first data breach at URMC. There were three prior data breaches with the latest in 2013. HIPAA requires health care organizations to report data breaches affecting 500 or more persons. The URMC settlement agreement (Adobe PDF) contains more stringent reporting requirements for URMC to the New York State Office of Attorney General (OAG):
"For a period of three (3) years, commencing from the execution of this Agreement, if URMC determines that a member of the workforce has breached unsecured protected health information, consistent with the HIPAA Breach Notification Rule, URMC is to notify the OAG of the breach within sixty (60) days of the breach if the number of individuals affected by the breach is fifteen (15) or more (for beaches of fourteen (14) or fewer URMC to notify the OAG annually), in addition to the existing notification responsibilities."
A survey earlier this year found that 45 percent of patients were “very” or “moderately concerned” about the security of their medical records, including access by unauthorized persons which would lead to identity theft and fraud. A breach earlier this year at electronic records vendor Medical Informatics Engineering highlighted the fact that data breaches at health care organizations expose patients to both medical and financial fraud.
While the fine in this case is tiny compared to the multi-billion fines paid recently by several big banks, it is still important because people expect health care organizations to properly secure and protect sensitive patient information. Experts have warned resolving medical identity fraud can be costly, time, consuming and require plenty of effort and expertise since the victim's medical records have often been corrupted with the thief's medical and health information.
If URMC experiences more data breaches, steeper fines and a longer period of more stringent breach reporting would seem applicable, given URMC's breach history. What are your opinions of the settlement agreement?
[Editor's note: In the interest of full disclosure, I have no relationship with URMC except that I am a graduate and alum of the University of Rochester.]