Employer Group Breach Woes

There are HIPAA Responsibilities for Businesses

Two stories about employers responsible for a breach of their employee’s Protected Health Information (PHI) were published this week. The first story describes a hacking/IT incident of the company’s health plan affecting 13,000 employees. The second story reports on a successful phishing scam that resulted in the disclosure of 14,000 employees’ Personally Identified Information (PII). The financial impact for the companies to mitigate these breaches is significant.

Could this happen to your company?

The loss of employee trust of the companies will require a focused effort to restore. A HIPAA compliance and training program will show employees the company is committed to protecting employee personal information.


 

Self-Insured Company Reports Breach1

Briggs & Stratton Corp., a Milwaukee, Wisconsin-based maker of gasoline engines for outdoor power equipment, reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) on Sept. 29 a health data breach affecting about 13,000 individuals. It’s listed as a “hacking/IT” incident involving the company’s health plan. Although Briggs & Stratton has no evidence of actual misuse of any of the information, it notified individuals to be cautious because the malware, could have allowed a third party to access, use, and/or disclose individuals’ account-related, human resources and/or health plan information.

Most companies not in the healthcare sector don’t realize that their self-insured employee health plans are Covered Entities under HIPAA and assume that HIPAA doesn’t apply to them. The moral of the story, not only hospitals or a health insurance companies need HIPAA compliance. If your company sponsors a health benefits plan, you are also required to be HIPAA compliant. Employers need to be aware that they often receive, store and transmit group health plan data for employees, and they are required to have a robust information security program around the data that complies with the HIPAA Security Rule’s requirements. Frequent sources of information are enrollment forms, census information, and even employee self-disclosures. Any PHI your company holds, whether physical, electronic or oral is required by law to be protected, and in this day and age, ignorance is not a suitable defense!


 

Employees Sue Home Health Provider2

A recent class action lawsuit claims that over 14,000 current and former employees in over 1,000 locations of Lincare Holdings Inc. were potentially affected by the disclosure of their personally identifiable information (PII) in a February 2017 breach. Lincare is a home healthcare services company providing home respiratory-therapy products and medical equipment. A human resources employee fell prey to a phishing scam that requested W-2 tax information about company employees.

The lawsuit alleges that the Lincare HR employee, rather than confirming or authenticating the validity of the request by a “Lincare executive, compiled the requested information and emailed the names, addresses, Social Security numbers, earnings and additional information about current and former Lincare employees to the purported executive.”

Previous Breach

The sad part, the suit pointed out that this is not the first Lincare data breach. On January 13, 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR), imposed a $239,800 civil monetary penalty for Lincare’s alleged failure to implement policies and procedures to safeguard records containing its patients’ Protected Health Information (PHI) as required by HIPAA.3

In that previous incident, OCR’s investigation found that a Lincare employee in December 2008 left behind documents containing the PHI of 278 patients after moving to a new residence. The first Lincare case was only the second time that OCR imposed a civil monetary penalty in a case involving “egregious violations” of HIPAA.

Based upon this [previous] breach … Lincare was placed on specific notice that it needed to implement and maintain more adequate and reasonable data security processes, controls, policies, procedures, and protocols to safeguard and protect the sensitive and confidential information with which it was entrusted, the complaint in the employees’ lawsuit alleged.


 

Steps to Prevent

The lawsuit claims that the breach could have been prevented had Lincare taken several information security steps, including:

  • Implementing securely configured electronic mail services “with advanced spam filters so that the phishing email never reached the HR employee’s inbox in the first place”;
  • Conducting sufficient information security training;
  • Implementing data security controls, policies and procedures regarding HR employees’ access to employee PII, including policies that prohibited HR employees from having on-demand access to all of its employees’ PII;
  • Implementing multiple layers of computer-system security, scrutiny and/or authentication;
  • Implementing measures to ensure that employee PII was never sent in an unencrypted form.

This is a list that all companies should be implemented as a part of a comprehensive data protection plan that may have prevented the breach. Comprehensive employee training needs to be renewed annually, and new workers need to be trained before they can access PII or PHI.

The financial impact for Lincare which will include the credit and identity monitoring as well as fines could easily be in the millions. The cost of implementing a HIPAA compliance plan and training employees is a fraction of the likely cost. Take action before it is too late.

 

 

  1. Total HIPAA has excerpted significant portions of the article “HIPAA Compliance: Self-Insured Company Reports Breach”, October 20, 2017. The author is Marianne Kolbasuk McGee, Executive Editor, HealthcareInfoSecurity
  2. Total HIPAA has excerpted significant portions of the article “Employees Sue Home Health Provider After Phishing Breach”, October 19, 2017. The author is Marianne Kolbasuk McGee, Executive Editor, HealthcareInfoSecurity
  3. OCR Slaps Home Health Provider with Penalty” – HealthcareInfoSecurity