What to Do When Your Medical Practice Data Is Breached

May 7, 2013

You've been breached - now what? Here's what to do in that first, all-important 24 hours.

What would you do if a hacker gained access to your server and demanded payment in exchange for not exposing your data to the world?

That's what happened to Surgeons of Lake County, LLC, a small practice in Northern Illinois, last July when an unauthorized user gained access to - and encrypted - its server in an attempt to force payment in exchange for the password needed to regain access to the server. While this sort of incident isn't as common as a stolen laptop or lost device, it is indicative of a broader trend: data breaches at medical practices.

As more physicians are migrating to EHRs and relying on mobile devices and laptops to interact with protected health information (PHI), data breaches are becoming more common.

According to a recent report from audit firm Redspin, the number of health data breaches affecting 500 or more individuals increased from 121 in 2011 to 146 in 2012. And according to the third annual "Benchmark Study on Patient Privacy & Data Security" put out by Ponemon Institute and ID Experts in December, data breaches are estimated to cost the U.S. healthcare industry an average of $7 billion annually.

Simultaneously, the federal government is cracking down even harder on healthcare organizations. In January, the Office for Civil Rights (OCR) for HHS released the final HIPAA omnibus rule, which modified the HIPAA Privacy and Security Rules, as well as the breach notification rule, to comply with the HITECH Act.

The modification to the breach notification rule requires healthcare entities to essentially prove, through a four-part risk assessment, that there is a low probability that PHI has been compromised. If they can prove that, then they do not need to disclose the breach. Healthcare entities found guilty of data breaches face fines of up to $1.5 million by the government plus notification costs and reputational damage, as they need to notify not only their patients, but also the media if the breach affects more than 500 individuals.

"[HHS is] looking to get people to the point where information is safely used," says attorney Andrew Blustein, with Garfunkel Wild, P.C., a law firm with offices in New York, New Jersey, and Connecticut. "Aggressive action in the beginning when you initially discover a problem can only help how the government views you and how your patients view you and help [ensure] that the situation does not spin out of control."

Fortunately, if your patient's PHI has been exposed, taking specific steps in the next 24 hours can minimize the damage - financial and otherwise.

Step one: Contain the situation

Regardless of how a breach occurs, a practice's first job is to try to stop the breach from getting worse.

"The first thing is stop the bleeding," says Blustein, who has worked with healthcare organizations that have had instances of data breach. "So, for example, if I find out a practice has an employee who is giving information inappropriately to someone, I may need to suspend that person or bar their access until I can find out what's going on."

If the breach involves a theft, for example, a practice should call the police before assessing the extent of the damage, says Elizabeth Litten, an attorney with Fox Rothschild LLP in Princeton, N.J., who has represented hospitals, physicians, and other providers and payers on a variety of healthcare issues.

Be sure to act as quickly as possible to fix the breach, says Litten, because if your practice is found guilty of willful neglect, it will face steeper civil money penalties. While civil penalties are between $10,000 and $50,000 per violation (resulting from willful neglect) if corrective actions take place within a 30-day period, if not corrected, each such violation is subject to a penalty of at least $50,000.

If your business associates (which now may include, for example, cloud-based EHR providers or medical-equipment contractors), are involved in the breach and don't act quickly to mitigate the damage (within 30 days, if the breach is attributable to willful neglect), the breach could still be attributed back to your practice - and your practice could be stuck with the higher penalty amount.

The covered entity is ultimately responsible for reporting to HHS and giving notice to patients, since the business associate is independently subject to HIPAA as per HITECH, and, in addition, may have contractual obligations to indemnify the covered entity, says Litten.

Step two: Assess the situation

After your practice has contained the damage as much as possible, for example, by notifying the police or taking information off the Internet, it's time to measure the actual damage - and the extent of it.

If you haven't called your attorney yet or found an experienced one who deals with healthcare organizations and knows HIPAA backwards and forwards, now is the time to do that. One of the first things your attorney will do is walk you through the four-part risk assessment outlined in the HIPAA Breach Notification Rule to determine the probability that PHI was compromised. Not all incidents where data was taken or improperly transmitted constitute a breach. If your laptop data is encrypted, for example, the likelihood of a breach is low and HIPAA violation penalties would not go into effect.

"If you're not sure where things stand, you don't want to unnecessarily alarm your patients, and create a false impression that the data was compromised if the risk is really low," says Litten.

However, the risk assessment is important because many practices have a narrow view of what a breach is.

 "A lot of people think of a breach as just the disclosure of information outside the practice, but it could also be the inappropriate use of information within the practice," says Blustein.

Here are the four factors to analyze to determine whether the probability of data breach is low:

1. Nature and extent of the PHI involved. To figure out the extent of a breach, Blustein says a practice should ask itself questions such as: What was the sensitivity of the information? Did the information contain financials, such as social security numbers, or was it merely an appointment calendar? And if the latter, was it for a specific procedure or a routine office visit?

2. The person/party to whom the PHI was exposed. There is a difference in whether you accidentally gave PHI to the wrong doctor or a thief obtained it. If the wrong doctor came in contact with PHI, the probability PHI has been compromised may be low, says Blustein.

3. Whether PHI was actually acquired or viewed. Your practice may have unintentionally allowed PHI to be exposed, but if PHI was never actually viewed, you could be in the clear. "If I send an envelope to you, and you get it and it has someone else's name on it, and you return the envelope to me unopened, that indicates you never viewed the information in the envelope," says Blustein.

4. The extent to which the risk has been mitigated. This factor prompts a healthcare organization to ask whether it is doing all it can to diminish the likelihood of compromising PHI. If your practice has strong safeguards and procedures in place, the probability PHI has been compromised may be low.

Unless the covered entity demonstrates a low probability that information is compromised based on a risk assessment, practices have to assume a breach.

Step three: Notify others

You've done your risk assessment and concluded PHI has been compromised. The next step in your post-data breach scenario is to alert others. Bob Dupuis, director of technical services for Boston-based consultancy Arcadia Solutions, says practices should check their state data breach laws to make sure there aren't additional legal requirements (beyond what is outlined in HIPAA and the recent Omnibus Rule) for determining the appropriate response and communications in the event of a data breach.

"There are different who's, when's, and what's you need to report depending on the state data breach laws governing the information," says Dupuis. "For example, in Massachusetts they have a very strong data protection law [201 CMR 17.00] that defines data breaches and Massachusetts residents' information that must be protected, and clearly defines who to contact and when."

The hardest part of the process may be breaking the news that a breach occurred to your patients, but don't make it too complicated a process.

"Honesty can be the best policy, but there is an also important way to craft the message to say 'yes, we've had this occurrence, these are the steps we've taken, and these are the steps we'll continue to take,'" says Dupuis.

First, you want determine the number of patient records that have been breached. If it's more than 500, you need to notify HHS of the breach as soon as you secure the exact or approximate number and be prepared to notify local media, as instructed by the HIPAA Security Rule.

Since time is of the essence, the next two actions should happen at about the same time, after determining the extent of the breach:

• Notify staff and business associates so everyone is apprised of the situation. In the next several days and weeks, you need them to be prepared for a barrage of patient phone calls and electronic messages if letters were sent to patients.

• Draft a letter to send to patients whose PHI has been compromised (assuming that is required based on the breach). Although you technically are supposed to send the letter within 60 days, this doesn't mean you should wait 60 days to send this out. "Let's say [a] computer was stolen and on it has your social security number," says Blustein. "If I wait 60 days to tell you that happened, your ability to protect your credit is compromised." Have your media relations and/or healthcare attorney look over the letter to make sure it complies with HIPAA guidelines.

Although it isn't specifically required, practices should offer free credit monitoring where financial or sensitive information has been disclosed.

"There are companies out there that offer credit-monitoring services and the doctor should offer to pay for that," says Blustein.

In addition to sending the letter, Blustein says practices may also want to consider calling their patients. "If my oncology records are stolen and I get a breach letter, I'm going to feel a sense of anxiety," he says, adding that whoever calls patients should just reiterate the message in the letter.

And although sending out a letter via regular mail is traditional, practices should also post a copy of the patient letter on their website, or distribute it through a newswire service.

"A lot of organizations notify patients through a letter and through their portal," says Dupuis. "[It depends] how they're best engaged how to get out that information."

Step four: Prepare for the next 72 hours

You've mitigated as much damage as possible, notified patients and business associates, and briefed staff of the situation. Here's what you need to do in the next 72 hours:

1. Designate staff to answer questions. Brief staff on how to handle calls (tell them to stick to the letter facts and corrective actions), and arm them with an FAQs document so they can address common concerns quickly. And be sure to keep a log of the calls received. OCR may ask for that log later, says Blustein.

2. Implement new security measures. Once you figure out what happened, you'll need to make changes to prevent this from happening again, says Lisa Gallagher,  senior director of privacy and security for the Healthcare Information and Management Systems Society. "HHS wants to know, what changes are you making in your security controls, whether technical or administrative, to prevent that from happening again?" says Gallagher. For example, you might need to implement a data-encryption policy for portable media, or purchase an application that can aid in encryption, she says. Plus, you'll need to review policy changes as well. "As part of your HIPAA privacy and security training, you should tell employees, if they absolutely need to take a laptop with PHI on it, make sure it's encrypted," says Litten, adding that practices should consider putting restrictions on which third parties can access PHI.

3. Prepare for investigation. Though you're probably ready to put the breach behind you, you're not off the hook just yet. To prepare for the investigation - which could take OCR up to a year or even longer - be sure to document all the actions you have taken and the changes you are making to prevent this from happening again. You should also have a copy of your risk assessment, which addresses the four breach areas if breach letters were not sent. Blustein recommends tasking someone in the office to act as a compliance manager. "One of the things OCR wants to know is, 'How do we know this isn't going to happen again?' You need to have an answer ready [such as] 'We fired the employee,' 'We encrypted everything,'" says Blustein. "You can't just have an incident and do nothing. You must take some affirmative action to mitigate."

4. Plan for the future. Craft an incident plan that identifies who's responsible for what, should a breach occur in the future. "The plan lays out internal communications …," says Dupuis. "It lays out who needs to be contacted and when they need to be contacted [and] steps you'll take to minimize damage and steps to take depending on the situation."

Remember that dealing with the situation head on is best. "It's really important you're out there in a really ethical way, dealing with this situation headon and not trying to hide behind it," says Dupuis. "Go out there, accept responsibility, and address it through a really crisp action plan."

In Summary

Has your practice been breached? Don't panic. Just follow these steps to mitigate the damage and save your reputation:

First, contain the situation before worrying about the extent of the damage.

Next, assess the situation and determine the extent of the compromised data.

Apprise staff and business associates of the situation.

Notify patients whose data has been compromised in a letter that complies with HIPAA guidance.

• If the breach exceeds 500 records, prepare to notify the media.

• Brief staff on how to handle calls from patients.

• Keep a record of all corrective actions and call logs for follow-up investigations

Marisa Torrieri is an associate editor at Physicians Practice. She can be reached at marisa.torrieri@ubm.com.

This article originally appeared in the May 2013 issue of Physicians Practice.