in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

February 2018 - Posts

  • HIPAA Breach Results In Lawsuit And Countersuit Between Aetna and KCC

    Reuters reported earlier this month that Aetna, the health insurance company, and Kurtzman Carson Consultants (KCC), an administrative-support services provider, have sued each other over a mishandled class action settlement notification.
    Last year, Aetna settled a number of lawsuits regarding the fulfillment of HIV medication prescriptions. With the legal issues finalized, it was up to KCC to mail the settlement notifications and finally close the book on the situation. Unfortunately, the notifications were sent using envelopes with transparent windows, the ones where names and addresses show through. But in this case, there was a little more:
    Most of the first sentence of the notification was also displayed - including the words "when filling prescriptions for HIV medications." [reuters.com]
    That's as private as private information can get. Naturally, Aetna was sued for breach of patient privacy, which the company quickly settled. In turn, the company sued KCC "to indemnify…the entire cost of the notification disaster," or nearly $20 million. Aetna claims that they didn't know that envelopes with transparent windows would be used, that private information would be showing, etc.
    Basically, it wasn't Aetna's fault.
    KCC, however, has countersued, stating that "Aetna and Gibson Dunn [the insurance company's legal representation] knew what the notifications would look like" and, allegedly, approved it prior to mailing out the settlement notifications.
    Obviously, someone has to be lying. The calamities don't end there, however.  

    No Encryption in this Day and Age?

    KCC has also averred in their suit that,
    When Aetna’s lawyers passed along the list of health plan members to be notified about the HIV prescription policy, there was no protective order in place. Nor did Gibson Dunn encrypt all of the data it sent to [KCC].
    In fact, KCC states that private health information (PHI) wasn't encrypted nor password-protected (not that password protection would do any good; it's certainly not a HIPAA-compliant PHI security measure). And, they further claim that "more data than was necessary to perform the noticed function" was sent to them… which is not necessarily forbidden under HIPAA but is definitely frowned upon. In fact, it might be one of those red flags that spark an investigation by the Department of Health and Human Services (HHS).
    On the other hand, passing sensitive patient data around without encryption? We all know how the HHS feels about that one. The Reuter's article summed up what's at stake for Aetna and KCC in this manner:
    For both Aetna and KCC, as you can see from the dueling complaints, responsibility for the botched settlement notifications is really an existential question. As a health insurer, Aetna has a moral and legal obligation to protect patient privacy. As a claims administrator, KCC is supposed to know – of all things! – how to mail out a settlement notification without violating recipients' privacy.
    The above is insightful and yet misses a number of observations.
    It should be noted that KCC received the data from Aetna's lawyers. So, if KCC's allegations are true, then Aetna has another business associate that's not paying attention to HIPAA/HITECH requirements. And, what's true for KCC – that they should know how to properly mail out notifications because it's their job – can also be said for lawyers that are sharing sensitive data that belongs to a HIPAA covered-entity. After all the law has specifics on how PHI data should be handled by business associates of HIPAA covered-entities. Business associates such as lawyers, who, by virtue of their profession and their client, should know not to pass around PHI unencrypted.
    Also, the allegations open up a another can of worms for Aetna, seeing how it now has two business associates that have contravened HIPAA/HITECH data security rules in less than one year. It can take very little to get the HHS to open up an investigation into data security violations. Having three HIPAA incidents in a one-year period must certainly attract attention, and KCC's allegations gives the HHS a reason to dig more in depth into Aetna's adherence to HIPAA privacy and security rules.

     

    Related Articles and Sites:
    https://www.reuters.com/article/legal-us-otc-aetna/kcc-sues-aetna-blames-gibson-dunn-in-hiv-settlement-notice-fiasco-idUSKBN1FR2WB
    https://www.reuters.com/article/us-otc-aetna/aetna-sues-claims-administrator-kcc-over-botched-notice-in-hiv-case-idUSKBN1FQ2SR

     
  • HIPAA Security Trickle-down? Notifications State Sensitive Information Not Contained In Stolen Devices

    According to databreaches.net, two medical entities recently alerted patients of a data breach: Eastern Maine Medical Center (EMMC) and Nevro Corporation.
    In the case of EMMC, an external hard drive went missing. For Nevro, a number of laptops were stolen during a break-in. Information contained in these devices was not protected with data encryption in either case, but then again, "sensitive information" was not stored on any of the devices involved.
    While the lack of encryption seems reasonable at first glance, the truth is that a number of HIPAA / HITECH regulations were probably broken.  

    Eastern Maine Medical Center

    In the case of EMMC, the data breach was triggered when a third-party vendor's hard disk drive disappeared. Bangor Daily News reports that the "missing hard drive contains information on 660 of the patients who underwent cardiac ablation between Jan. 3, 2011 and Dec. 11, 2017."
    The missing drive was last seen on December 19. Reportedly, the storage device contained:
    Patients' names, dates of birth, dates of their care, medical record numbers, one-word descriptions of their medical condition and images of their ablation… [but NOT] Social Security numbers, addresses and financial information.
    On the face of it, it looks like the data breach could be classified by most people as "small potatoes."  

    Nevro Corporation

    Unlike EMMC, Nevro was responsible for its data breach. And yet, the company cannot be strongly faulted for the data mishap: it's not as if the laptops were in an unsafe location (like an employee's car). The laptops were at the company's headquarters, which one assumes was reasonably secure against break-ins.
    Per Nevro's breach notification letter, "nearby business were also targeted" and laptops were stolen from them as well, so chances are that Nevro had comparable security in place. (Either that or most businesses in the area decided to dispense with security, a dubious assumption).
    The company noted that all of the stolen laptops were password-protected "although not all were encrypted." Yet, the silver-lining is that "limited categories of information" were stored on these devices and that none of them "contained, sensitive identifying information such as Social Security or other government-issued identification numbers or credit card or financial institution information."
    The "limited information" pertains to names, addresses, and other similar information listed by EMMC. Indeed, Nevro seemingly implies that it's only sending affected patients because
    applicable state law considers this type of information [limited information about your treatment relationship with Nevro] sufficient to warrant a notification.
    Again, most people would look at this as small potatoes (especially when you take into consideration what Equifax admitted to last September. That was definitely not small potatoes; heck, it went well beyond the tuber family).
    As pointed out in previous posts, such "not sensitive" information can still be used to carry out fraud and scams. Tech support scams, for example, are successful even though there is very little personal data involved. Can you imagine how much more convincing a phone scam would be if someone called a person about his or her cardiac ablation?
    That being said, there is a remote possibility of it happening. In contrast, the malicious use of SSNs and other information generally considered to be "sensitive" is more than possible. So, the lack of what most people would deem "sensitive personal information" should come as something of a relief to patients.  

    Could Still Be a HIPAA Breach

    It may not be, however, a relief for the two organizations. A cursory search on the internet seems to indicate that both fall under the purview of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA has very strict definitions of what is and is not PHI (protected health information).
    As this link shows names, physical addresses, telephone and fax numbers, email addresses, etc. are considered to be PHI if combined with certain information, such as what medical treatment one was receiving. So, technically, it looks like the two organizations have a full-blown medical data breach in their hands.
    It goes without saying that the use of full disk encryption would have paid off wonderful dividends in both cases because HIPAA provides safe harbor if data is encrypted when lost or stolen. That not being the case, what will be the fallout?
    HIPAA / HITECH data security compliance is administered and overseen by the Office of Civil Rights (OCR) of the Department of Health and Human Services. The OCR has not been shy in dispensing monetary penalties, sometimes in the millions of dollars.
    And, as befitting such large sums, it often takes years to reach a decision on how to deal with HIPAA covered-entities that have suffered a data breach.
     
    Related Articles and Sites:
    https://www.databreaches.net/records-of-pain-device-patients-on-stolen-nevro-laptops/
    https://www.databreaches.net/eastern-maine-medical-center-notifying-660-cardiac-ablation-patients-after-vendors-hard-drive-discovered-missing-or-stolen/