More than 700 allegations of patient privacy law violations have been filed against Ohio health care facilities since 2010, with the majority of investigations closed after minimal guidance from the federal agency tasked with oversight.
Community Mercy Health Partners’ improper disposal of more than 113,000 medical records in a public recycling bin in Springfield last year remains the largest health care privacy breach in Ohio and resulted in the hospital taking corrective action.
The federal Health Insurance Portability and Accountability Act requires medical providers to protect patient medical and personal information.
But privacy and security experts, as well as patients affected by local health data breaches, have questioned whether enforcement goes far enough to deter repeated violations that could lead to costly identity theft.
“We trust them to take care of us and our medical records and to keep them private. Why have the HIPAA rules if they disregard them?” said Melanie LeVan, of Mechanicsburg. She and her husband had their records exposed by Community Mercy in November.
The Springfield hospital said it has received no complaints from patients regarding identity fraud or any other improper use of the information that was breached.
The Department of Health and Human Services Office of Civil Rights, criticized in the past for its handling of privacy breaches, will launch a new random audit program to proactively identify organizations that aren’t properly protecting patient data rather than reacting after information is exposed.
The health care industry lags behind others when it comes to cyber security, experts say. With the largest breaches in recent years coming as the result of hacking — including a massive attack on Anthem that affected about 78.8 million people nationwide and about 5 million consumers in Ohio — they say companies may be too focused on internal snafus and not adequately protected from cyber threats.
Multiple violations at Springfield Hospital
While investigating the Community Mercy breach, the Springfield News-Sun I-Team filed a Freedom of Information Act request for information on smaller breaches affecting less than 500 people, which accounts for nearly 99 percent of HIPAA violations.
Records about violations involving more people are available online, which showed that the Community Mercy record exposure was the largest in Ohio.
>>SEARCH THE VIOLATIONS: See the full list of larger health breaches
The News-Sun records request yielded a database of about 780 smaller investigations in Ohio but didn’t include details of the alleged violations.
About 30 percent of those cases were closed after corrective action by the health care organization. Another 30 percent were closed with the government providing a letter with recommendations for improvement.
In the remaining cases, it was either determined that no violation occurred or the complaint was closed in some other manner not requiring further action.
Springfield Regional Medical Center had two HIPAA violations investigated and closed with “technical assistance” provided prior to 2015 when the hospital notified patients of two separate large breaches.
A 2012 violation involved a fax error, according to Deborah Reif, corporate responsibility and privacy officer for the hospital. Community Mercy took corrective action before the federal government contacted it in that case.
In the second case, opened in 2013, the hospital received a technical assistance letter but determined through an internal investigation no privacy breach occurred, Reif said, and took no further action.
“‘Technical assistance’ from the OCR means that they see the complaint as a potential area of weakness and they provide educational information with the letter when disclosing the complaint,” she said.
Springfield Manor Nursing Home also had two violations, both in 2014, in which technical assistance was provided. The nursing home didn’t return calls for comment.
Kettering Health Network and Premier Health Partners have each had more than a dozen complaints in the past five years.
Kettering couldn’t provide details on individual cases — 12 resulting in corrective action or technical assistance — but said the majority were incidents in which internal monitoring systems alerted them to improper records access and were then self-reported to OCR.
Providers are only required to report smaller breaches on an annual basis but may do so at any time.
“A lot of these breaches are folks that are familiar with each other or they know each other, and it’s a curiosity or a snooping matter,” said Megan Brickner, privacy officer for Kettering. “We have zero tolerance for that … a snooping matter could rise to the level of termination.”
When the company is alerted that a patient’s record has been accessed in violation of the privacy law, the patient and OCR are notified and an internal corrective action and discipline program is initiated, Brickner said.
Premier spokeswoman Sharon Howard said the health network that oversees Miami Valley and Good Samaritan hospitals in Dayton does education annually and as needed, along with having auditing and monitoring procedures in place.
“Any allegation of a breach that may have occurred is investigated,” Howard said.
Independent researchers with the Ponemon Institute have surveyed health care organizations and their business partners about data privacy and security for six years.
In the most recent study released in May, 89 percent of health care organizations reported at least one data exposure in the past two years and 45 percent had more than five breaches.
The average cost to resolve the consequences of a breach was $2.2 million, the study found.
The main risk factor for the industry is a lack of vigilance by the organizations themselves, the groups interviewed said.
“There is a lack of accountability,” said Rick Kam, president and co-founder of ID Experts, a cyber protection company that sponsors the annual Ponemon survey.
The study reveals that health care organizations say they are most concerned with negligent or careless employees — 69 percent of respondents said this worries them most — but also report half of breaches are tied to criminal attacks.
Healthcare organizations are disproportionately focused on the wrong threats, Kam said.
“The frequency of data breaches from criminal attacks is about the same frequency as breaches from employee snafus,” he said. “The difference is criminal attacks are typically malicious, resulting in medical identity theft and medical fraud versus the accidental disclosures by employees.”
Organizations should invest in security measures that detect cyber attacks, malware and ransomware to reduce the frequency and impact of breaches, Kam said.
“Health care is the number one target right now,” Kettering Health Network’s Chief Information Security Officer Michael Berry said. “The data we have is the most valuable out there. Even more valuable than in the financial industry. If I stole your credit card you could change your credit card. If I steal your medical identity, you can’t very well change that.”
Many organizations are woefully under prepared for today’s cyber security threats, according to Justin Moore, CEO of cyber security firm Axcient.
Without stronger government enforcement, he said the main motivation for companies to spend money on protecting health information is the damage a breach can do a brand’s reputation.
“You have this toothless thing called HIPAA,” Moore said.
If someone was randomly auditing and fining health care companies for violations, he said there would be a quick turnaround like was seen in banking after tougher regulations.
The 2009 Health Information Technology for Economic and Clinical Health Act was intended to strengthen government oversight of health care providers and included a requirement that the Office of Civil Rights create an audit program.
But after six years of enforcing that law, Kam said the government oversight hasn’t achieved much in preventing violations.
The agency was also called out by its Inspector General last year for not being proactive enough.
“OCR’s oversight is primarily reactive,” the report said.
Now after conducting a pilot in 2012 that checked about 115 companies nationwide, the agency said its full auditing program is underway and audits are expected to begin in July.
“The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches,” the agency’s audit website says.
The Inspector General’s report noted that in about half of the closed privacy cases, the agency determined that providers were non-compliant with at least one privacy standard and requested corrective action.
The News-Sun I-Team found that noncompliance was identified in about 60 percent of the Ohio cases since 2010 and almost all of those resulted in corrective action requested or technical assistance provided.
But those designations don’t necessarily mean the entity made any changes.
“When the OCR sends a technical assistance letter, it has closed the complaint and does not expect a response from the covered entity,” Reif with Community Mercy said.
Hospitals still have an incentive to implement any recommendations from those letters, Reif said, because OCR could come back and open an investigation at any time, including if the same entity has repeated complaints.
In response to questions last week, Deputy Director for Health Information Privacy Deven McGraw said in a statement that an entity’s history, including prior breaches or complaints, is one factor OCR takes into consideration in determining whether to move forward with an investigation. Prior breaches or investigations is also a factor considered in pursuing more formal action, he said.
Fines — the federal government’s most severe enforcement tool — have been assessed 35 times.
Impact on patients
Since 2009, the Office of Civil Rights has investigated nearly 1,600 large health data breaches and more than 134,000 smaller breaches and complaints nationwide.
Those incidents have affected more than 158 million patients, exposing information from addresses and medical diagnoses to social security numbers and insurance claim information detailed enough for someone to assume a fake medical identity.
Even when breaches don’t result in identity theft, patients can still feel violated.
“This incident has made my husband and I not want to trust hospitals with our information,” LeVan said.
After being notified by letter that their records were among those improperly disposed of in Springfield last year, the couple called the help line Community Mercy set up for patient questions.
They were initially told they couldn’t get copies of what was exposed. After contacting the News-Sun I-Team, the hospital sent the document on which one line of their information appeared.
“It made us worry less by knowing what of ours was in the dumpster,” LeVan said.
But she wishes more was done to hold hospitals accountable.
“Hospitals need to have repercussions to these things that happen and not just a slap on the wrist or them saying ‘sorry,’” she said.
Individuals don’t have the ability to sue under HIPAA, but as consumers, patients have huge power, Kam with ID Experts said.
“If consumers are upset they can take their business elsewhere,” he said.
Thank you for reading the Springfield News-Sun and for supporting local journalism. Subscribers: log in for access to your daily ePaper and premium newsletters.
Thank you for supporting in-depth local journalism with your subscription to the Springfield News-Sun. Get more news when you want it with email newsletters just for subscribers. Sign up here.