Happy Halloween from the Help Me With HIPAA team! Each year we have done a special scary episode for Halloween. Last year we took you on a tour of a haunted house. This year for HIPAA Horror Stories V3 we get to hear a campfire horror story. So gather around and hear how scary HIPAA mishaps can be for us all!
HIPAA Horror Stories 2017
It started as a great day for Elvira as she looked out the window after waking up. The sky was blue, sun shining, birds chirping, all that good stuff. With coffee brewing, she opened the email app on her phone to see what came in overnight.
The first message to catch her attention was one from a doctor about a call he received last night. The doctor explained that a patient that he knew personally had called to complain. The patient insisted that they had gotten a call from our billing company last night asking for payment in full of a balance on her account. The patient was outraged that someone would call their home at night and demand a credit card to cover a large balance that hadn’t even been processed by the insurance plan yet. What is going on the doctor wants to know. He must call the patient first thing this morning to explain.
Their office doesn’t use any outside billing company to call patients about balances! What IS going on?
The Day Darkens – HIPAA Horror Stories #2
Before getting out the door there is a call from the office. A rental car company has called to say they found papers with information on 10 of our patients in the back seat of a car that was returned yesterday. What! In a rental car?
The Drive Becomes Terrifying – HIPAA Horror Stories #3
On the drive to the office, a call comes from the tech help desk. The restore after the ransomware attack they noticed last night didn’t restore the X-rays that were needed for a surgery this morning. No one seems to know what to do.
Except for a relatively limited set of patients, our patient information database was not affected by the ransomware, however, imaging files, such as x-rays, and other documents such as attachments were impacted. While our investigation into the matter continues, it does not appear that patient information was stolen from our system. However, the ransomware has rendered the imaging files and documents inaccessible. Based on our present investigation, it also appears that the ransomware rendered all electronic patient data inaccessible pertaining to visits within approximately three weeks prior to the incident. Because we are unable to determine with reasonable certainty whether or not the perpetrator(s) placing the ransomware on our systems accessed patient information, and due to the impact on the availability of images and other files, we are providing you with notification of this incident.
Panic Starts As An Office Welcome – HIPAA Horror Stories #4
As she walked in the door, the nursing supervisor brings in a news story. A nurse was just convicted of stealing PHI and filing over $1M in fraudulent tax returns. She thinks the nurse did work for them at one time a few years ago.
Nothing Worse Than A Monitor With A Sticky Note – HIPAA Horror Stories #5
As she got to her desk there was a note taped to her screen. It said that the investigation they did yesterday determine that an employee’s email account has definitely been HACKED and used to send spam. And, it turns out that while the email was encrypted when it was sent all of the patient data was accessible once the hacker successfully logged into the hacked account.
The Breaking Point – HIPAA Horror Stories #6
Just as her head was about to explode she jolted awake and realized that it was a nightmare like no other. It was a….
NIGHTMARE ON HEALTHCARE STREET
The Real World Nightmares Elivra Experienced
The real world issues addressed in Elvira’s nightmare are very scary if they are happening to you.
Patients were called about their balances and asked to pay with a credit card. This is a scam that could get out of hand quickly. We all know how many patients are snagged in some of these data breaches. It is just a matter of time before someone rolls out this one on a huge list. The next time someone says that it doesn’t matter if there are only a name and a phone number we have an answer to explain why that matters very much!
When your PHI is found in a rental car you are having a weird day. The fact that the records were able to be printed and removed without anyone noticing would make anyone’s hair stand on end. It really is a shame that you must always trust but verify with your own staff just like you do with your business associates.
Confidentiality is the thing most people think when they discuss HIPAA requirements. There is much more to it than that, though. It also covers data integrity and availability. All data must be evaluated to determine it’s value. Answer these three questions about all of your data to set a value for it:
- What would happen if this got into the wrong hands? (Confidentiality)
- What would happen if I couldn’t trust the data to be accurate? (Integrity)
- What would happen if I could never access this data ever again? (Availability)
This case shows us that onboarding matters a great deal. The fact that she had 28 patients but had gotten them at other places too tells you this was an ongoing thing. It only took 2 days to get that claim filed after a patient arrived. Wow, you just can’t trust you must verify!
For years we have solved many data breach problems with encryption. That worked well in many cases until now….. So many people make the assumption that because email is encrypted they don’t have to worry about email. That could not be further from the truth. Improper access to email accounts happens every day. Phishing for access to email accounts has become an art to some criminals. There is nothing safe in an email account simply because it is encrypted. Layers of protection are still required for all kinds of messaging.