Why 2016 could be banner year for health-care data breach fines

Hero Images | Getty Images

Sloppy cybersecurity for your patients' health-care records could cost you — lots.

Federal health regulators this week touted the fact that they had obtained a record-breaking $5.55 million settlement with one of the nation's biggest health-care systems related to breaches that compromised about 4 million electronic patient records containing names, address, birth dates, credit card information and other data.

But that deal is just the latest of several other similar big settlements since late 2015, whose high dollar amounts put them in the top 10 of data breach settlements ever obtained by the U.S. Health and Human Services Department.

Since last November, HHS's Office for Civil rights has obtained more than $16 million in settlements from just five entities related to electronic patient data breaches.

"It's accelerating," said Bill Ho, CEO of Biscom, a provider of secure document delivery solutions. "We're going to see some big fines coming down the pike, for sure. This won't be the biggest for long."

Ho said that HHS for much of the time since the 1996 passage of the patient privacy law known as HIPAA, "didn't enforce any of the penalties," or imposed relatively few penalties. That reflected regulators' understanding that it would take time for health-care providers to make changes to comply with the law, Ho said.

"We've definitely seen more recently, the OCR coming out and saying, 'You're in violation,' " Ho said. "They're finally saying, 'You've got to pay the piper. It's time for the OCR to step up and make examples."

"These fines that people are seeing, and the fact that OCR is starting to play hardball," Ho said, will make hospitals "take these things seriously."

And there's certainly more opportunities for big settlements or fines.

In 2012 OCR resolved 9,407 HIPAA complaints. The number of resolutions grew to 14,293 in 2013, and then again to 17,748 in 2014, the last year that data is publicly available. It can take several years between an initial report of a data breach and a settlement with OCR.

Three of the largest data breaches for health providers ever recorded occurred last year, when hacking of network services affected nearly 79 million people at the insurer Anthem, and 10 million or more people each at the insurers Premera Blue Cross and Excellus Health Plan.

Earlier this week, the Arizona-based hospital system Banner Health revealed that 3.7 million patients, health plan members and customers of the system's food services might have had their private information compromised by a cyberattack. That attack targeted a system that handled credit card transactions for Banner's food services, but ended up potentially gaining access to patient information.

Banner Health's breach would be the eighth largest on record if the initial number of people reported turn out to have been compromised.

"My guess is that they will be fined as well," Ho said.

The potential number of affected people at Banner Health is just 300,000 or so less than the 4 million patients who had their records comprised at Illinois-based Advocate Health Care Network in three separate breaches in 2013. Advocate Health this week agreed to pay $5.55 million to settle OCR's probe of multiple possible HIPAA violations related to those breaches, without admitting wrongdoing.

Most of the 4 million patient records were compromised by the theft of four computers in 2013; the other breaches involved a stolen laptop from a staff member's car, and a third party gaining access to patient records through a billing services company for the physicians' group.

The previous record was the $4.8 million New York-Presbyterian Hospital and Columbia University agreed to pay in May 2014. That case related to more than 6,800 patient records becoming available online after the hospital deactivated a computer network server.

Advocate Health's deal came less than a month after OCR reached two separate settlements with health care entitles for large amounts of money.

On July 18, OCR said that Oregon Health & Science University had agreed to pay $2.7 million in a probe "that found widespread and diverse problems at OHSU."

That investigation began after the university informed OCR of multiple breaches affecting thousands of people, breaches that included two reports involving unencrypted laptops and a stolen thumb drive that was likewise unencrypted.

OCR faulted OHSU for not conducting risk analyses that covered all of the electronic protected health information in the university's systems, and for storing such information for more than 3,000 people on a cloud-based server without a business-associate agreement that such patient records be protected in compliance with HIPAA.

"OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses," the agency said in a press release.

Three days after that settlement was disclosed, OCR said it reached settlement that required the University of Mississippi Medical Center to pay $2.75 million after a probe sparked by a breach affecting about 10,000 people. Those patients' information was contained on a laptop computer that went missing from the medical center's intensive care unit after a visitor asked about borrowing a laptop.

"During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight," OCR said.

Another big payout came in March, when North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle charges that it potentially violated HIPAA by failing to enter into a business associate agreement with a major contractor and failing to implement a system-wide risk analysis. Almost 9,500 North Memorial patients had their record compromised when a laptop was stolen from the car of a worker at a business associate of the health-care system.

In November, a Puerto Rico-based insurance company, Triple-S Management Corp., agreed to pay $3.5 million to settle OCR probes related to deficiencies in the company's HIPAA compliance program that were uncovered after multiple breach reports.

Triple-S had reportedly experienced at least eight separate breaches since 2010, five of which occurred in 2014. The breaches exposed protected health information for more than 1 million people.