Wisconsin-based health insurer, Centene Corporation, has announced the loss of six unencrypted computer hard drives containing the protected health information of approximately 950,000 of its members.
The hard drives were being used for a project to improve the health outcomes of plan members. The individuals impacted by the security breach had all received laboratory services between 2009 and 2015. The data stored on the devices included names, addresses, dates of birth, member ID numbers, Social Security numbers, and laboratory test results.
An initial search was conducted after it was discovered that the devices were missing, although a more comprehensive search of Centene facilities in now being conducted. That search is ongoing according to the company’s breach notice.
It is possible that the hard drives will be found, although Centene has now taken the step of alerting its members to the potential exposure of their PHI out of an abundance of caution. Also out of an abundance of caution, all 950,000 members have been offered a year of credit monitoring services without charge. The loss of equipment has also prompted Centene to conduct a review of its IT equipment management policies.
OCR has Issued Numerous Fines for the Failure to Secure ePHI
The loss or misplacement of the computer hard drives strongly suggests HIPAA rules have been violated. HIPAA requires all covered entities to ensure that all computer equipment used to store ePHI is secured by appropriate physical controls at all times to prevent loss or theft.
Covered entities are also required to maintain an equipment inventory of all devices used to store, transmit, access or copy ePHI. This includes computers, tablets, fax machines, photocopiers, digital printers, portable storage devices such as flash drives, as well as computer hard drives. A covered entity must be aware of the location of all equipment used to store ePHI, at all times.
The Department of Health and Human Services’ Office for Civil Rights can issue heavy financial penalties to covered entities that fail to maintain control of devices and equipment used to store ePHI.
In 2014, CA Health Plan, Inc., of Arkansas agreed to pay a settlement of $250,000 after the loss of an unencrypted laptop computer containing the ePHI of 148 individuals. In the same year, Concentra Health Services agreed to settle with OCR for $1,725,220 for potential HIPAA violations uncovered by an OCR investigation into the theft of an unencrypted laptop computer.
Fines for Loss of Computer Hard Drives Used to Store ePHI
The theft of a portable storage device resulted in a heavy fine for the Alaska Department of Health and Human Services (DHHS). The device was stolen from the vehicle of an employee and the potential HIPAA violations uncovered by OCR when the data breach was investigated resulted in a settlement being reached for $1.9 million.
The most relevant example is that of health insurer Blue Cross Blue Shield of Tennessee (BCBST). In 2012, the company agreed to settle potential HIPAA violations stemming from the theft of hard drives from a storage facility rented by BCBST. In that case, 57 unencrypted hard drives were stolen, exposing the PHI of approximately 1 million plan members. BCBST settled with OCR for $1.5 million.
While Centene may yet find the missing devices, that does not necessarily put the company in the clear. Now OCR has been informed of the security incident an investigation will be launched. If HIPAA violations are uncovered, a fine may be deemed appropriate.
This incident serves as a reminder to covered entities to ensure that all equipment used to store ePHI can be accounted for. An accurate and up to data inventory of all equipment must exist and devices must be secured with appropriate physical safeguards to prevent loss or theft.
With the next round of HIPAA compliance audits fast approaching, now is an ideal time to conduct an equipment inventory. It will be one aspect of HIPAA rules that is likely to be investigated during the compliance audits.