A recent inside-job data breach incident reminds us why we need to take necessary precautions.
HIPAA and financial data present an ongoing asset-protection issue for physicians and medical practices. This week we take a look at a specific exposure suffered by up to 40,000 (yes, 40,000) patients of one Arizona medical practice and some simple precautions that may help your practice avoid the same exposure.
Recent news reports from Scottsdale, Ariz., detail the alleged activities of a medical billing firm employee and her boyfriend. According to news reports, Brittany Davidson and her boyfriend Winfred Aurelious Dick, Jr., were arrested after a Maricopa County Sheriff Captain spotted an unauthorized charge on his credit card. Further investigation revealed Davidson had reportedly stolen his credit card information from the medical billing firm where she worked, which handled billing for a Scottsdale dermatology clinic. As a result, the financial data of as many as 46,000 patients may have been exposed by the duo that used patient credit card numbers for items ranging from rims and tires to fast food. The practice, Scottsdale Dermatology, has offices around the city and data from multiple offices was potentially exposed by the billing company’s security breach.
What Could Have Helped?
1. Cyber liability insurance. We’ve previously covered a variety of vital forms of commonly overlooked medical-practice insurance policies, and discussed the importance of data breach or cyber liability policies, which we can only hope the practice owner has in place here. These policies cover a variety of issues in our increasingly electronic world, including not only outside theft or loss of medical records but also the intentional misuse of patient data by employees. In this case both the medical practice and the billing company, which is likely a “business associate” of a covered entity, face substantial liability for a variety of issues including:
• Any actual losses incurred by patients;
• The expense of formal notification of over 40,000 patients;
• Ongoing remediation including credit monitoring and credit repair for those actually exposed;
•Reputational damage and loss of patient trust.
I’d also add that EPLI, or employment practices liability insurance, could prove useful in such a situation. While much of my previous coverage of this vital issue has centered on its value in protecting a doctor’s office from an employee lawsuit, the best policies often include riders that protect the employer from the liability associated with the unsanctioned actions of an employee as well.
2. Background checks and proper employee credentialing. In this case the billing and subsequent breach occurred at a third-party company that we can only hope was properly credentialed and met the specifications of the dermatology practice’s third-party payer contracts. It could just as easily have been at the doctor’s office itself. Part of your HIPAA security procedures should include a discussion of the entire chain of custody of the records your practice handles and discloses to third parties and that review should include questions about any third party’s background-screening practices. Find out if they indemnify you for their loss or misuse of the information you share with them, and get a copy of their “in-force” liability policy that covers you in the event of such a breach.
I can hope some phones are ringing on these issues at billing companies across the country later this week.