Centene Corporation, Wisconsin-based health insurer, has declared the loss of 6 unencrypted computer hard drives having the safeguarded health information of roughly 950,000 of its members.
The hard drives were being utilized for a job to make better the health results of plan members. The persons affected by the security infringement had all received laboratory facilities from 2009 to 2015. The data saved on the devices included names, dates of birth, addresses, Social Security numbers, member ID numbers, and laboratory test outcomes.
An early search was carried out after it was found that the devices were lost, though a more thorough hunt of Centene services is now being carried out. That search is continuing as per the company’s infringement notice.
It’s probable that the hard drives will be recovered, even though Centene has now taken the measure of warning its members to the possible disclosure of their PHI out of a profusion of care. Also out of a profusion of caution, all 950,000 members have been offered one year of credit checking services free of cost. The loss of equipment has additionally induced Centene to carry out an analysis of its IT equipment management plans.
OCR has Issued Many Penalties for the Failure to Safeguard ePHI
The misplacement or loss of the computer hard drives solidly indicates HIPAA laws have been infringed. HIPAA needs all protected entities to make sure that all computer equipment utilized to save ePHI is protected by suitable physical controls all the time to prevent theft or loss.
Safeguarded entities are also needed to keep an equipment stock of all devices utilized to transmit, store, copy or access ePHI. This includes digital printers, photocopiers, fax machines, tablets, computers, moveable storage devices like flash drives, and computer hard drives. A safeguarded entity should always be conscious of the place of all equipment utilized to store ePHI.
The Division of Health and Human Services’ Office for Civil Privileges may impose severe fiscal fines on protected entities which do not preserve control of equipment and devices utilized to store ePHI.
CA Health Plan, Inc. of Arkansas consented to pay a reimbursement of $250,000 in 2014, after the loss of a decoded laptop having the ePHI of 148 persons. During the same year, Concentra Health Services consented to settle up with OCR for $1,725,220 for possible HIPAA infringements exposed by an OCR inquiry into the thievery of a decoded laptop.
Penalties for Loss of Computer Hard Drives Utilized to Save ePHI
The thievery of a moveable storage device led to a substantial penalty for the Alaska Department of Health and Human Services (DHHS). The device was thieved from the automobile of a worker and the possible HIPAA infringements exposed by OCR when the data infringement was probed led to a payment being agreed for $1.9 million.
The most related instance is that of health insurer Blue Cross Blue Shield of Tennessee (BCBST). During 2012, the firm consented to resolve possible HIPAA infringements originating from the thievery of hard drives from a storing facility rented by BCBST. In that situation, 57 unencrypted hard drives were thieved, revealing the PHI of roughly 1 million plan members. BCBST resolved with OCR for $1.5 million.
Although Centene may yet recover the lost devices that don’t necessarily put the business in the clear. Currently, OCR has been notified of the security happening an inquiry will be started. If HIPAA infringements are revealed, a penalty may be considered applicable.
This case serves as a reminder to protected entities to make sure that all equipment utilized to store ePHI may be accounted for. An up to date and accurate stock of all equipment should be present and devices should be protected with suitable physical safeguards to avoid theft or loss.
Since the following round of HIPAA conformity audits rapidly approaching, today is an idyllic time to carry out an equipment stock. It will be one part of HIPAA laws that’s likely to be probed during the conformity audits.