Employer Group Breach Woes

There are HIPAA Responsibilities for Businesses

This week, two incidents of employer group breaches involving unauthorized access to employees’ Protected Health Information (PHI) have come to light. The first incident involves a hacking/IT event targeting the company’s health plan, impacting 13,000 employees. The second incident revolves around a successful phishing scam, leading to the exposure of Personally Identified Information (PII) of 14,000 employees. These breaches have resulted in significant financial consequences for the companies involved.

Is your company prepared to face such a situation?

Rebuilding the trust of the affected employees will require a dedicated effort. Implementing a comprehensive HIPAA compliance and training program will demonstrate the company’s unwavering commitment to safeguarding employees’ personal information.

Self-Insured Company Reports Breach¹

Briggs & Stratton Corp., a Milwaukee, Wisconsin-based maker of gasoline engines for outdoor power equipment, reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) on September 29, a health data breach affecting about 13,000 individuals. It’s listed as a “hacking/IT” incident involving the company’s health plan. Although Briggs & Stratton has no evidence of actual misuse of any of the information, it notified individuals to be cautious because the malware could have allowed a third party to access, use, and/or disclose individuals’ account-related, human resources, and/or health plan information.

Most companies not in the healthcare sector don’t realize that their self-insured employee health plans are Covered Entities under HIPAA and assume that HIPAA doesn’t apply to them. The moral of the story, not only hospitals or health insurance companies need HIPAA compliance. If your company sponsors a health benefits plan, you are also required to be HIPAA compliant. Employers need to be aware that they often receive, store, and transmit group health plan data for employees, and they are required to have a robust information security program around the data that complies with the HIPAA Security Rule’s requirements. Frequent sources of information are enrollment forms, census information, and even employee self-disclosures. Any PHI your company holds, whether physical, electronic, or oral is required by law to be protected, and in this day and age, ignorance is not a suitable defense!

Employees Sue Home Health Provider²

A recent class action lawsuit claims that over 14,000 current and former employees in over 1,000 locations of Lincare Holdings Inc. were potentially affected by the disclosure of their personally identifiable information (PII) in a February 2017 breach. Lincare is a home healthcare services company providing home respiratory-therapy products and medical equipment. A human resources employee fell prey to a phishing scam that requested W-2 tax information about company employees.

The lawsuit alleges that the Lincare HR employee, rather than confirming or authenticating the validity of the request by a “Lincare executive, compiled the requested information and emailed the names, addresses, Social Security numbers, earnings, and additional information about current and former Lincare employees to the purported executive.”

Previous Breach

The sad part, the suit pointed out that this is not the first Lincare data breach. On January 13, 2016, the Department of Health and Human Services Office for Civil Rights (OCR), imposed a $239,800 civil monetary penalty for Lincare’s alleged failure to implement policies and procedures to safeguard records containing its patients’ Protected Health Information (PHI) as required by HIPAA.³

In that previous incident, OCR’s investigation found that a Lincare employee in December 2008 left behind documents containing the PHI of 278 patients after moving to a new residence. The first Lincare case was only the second time that OCR imposed a civil monetary penalty in a case involving “egregious violations” of HIPAA.

Based upon this [previous] breach … Lincare was placed on specific notice that it needed to implement and maintain more adequate and reasonable data security processes, controls, policies, procedures, and protocols to safeguard and protect the sensitive and confidential information with which it was entrusted, the complaint in the employees’ lawsuit alleged.

Steps to Prevent

The lawsuit claims that the breach could have been prevented had Lincare taken several information security steps, including:

• Implementing securely configured electronic mail services “with advanced spam filters so that the phishing email never reached the HR employee’s inbox in the first place”;
• Conducting sufficient information security training;
• Implementing data security controls, policies, and procedures regarding HR employees’ access to employee PII, including policies that prohibited HR employees from having on-demand access to all of its employees’ PII;
• Implementing multiple layers of computer-system security, scrutiny, and/or authentication;
• Implementing measures to ensure that employee PII was never sent in an unencrypted form.

This is a list that all companies should be implemented as a part of a comprehensive data protection plan that may have prevented the breach. Comprehensive employee training needs to be renewed annually, and new workers need to be trained before they can access PII or PHI.

The financial impact for Lincare, which will include credit and identity monitoring as well as fines, could easily be in the millions. The cost of implementing a HIPAA compliance plan and training employees is a fraction of the likely cost. Take action before it is too late.

Conclusion

Total HIPAA specializes in HIPAA compliance services, helping businesses adhere to HIPAA guidelines and protect sensitive data. Our experts ensure your organization remains compliant with HIPAA regulations, meaning you can focus on your core operations while we handle documenting the policies and procedures that make up your HIPAA compliance plan. Trust Total HIPAA for comprehensive compliance solutions tailored to your needs. Book a clarity call today.

Blog Posts to Read Next:

1. Why Employers Need to be HIPAA Compliant
2. States Strengthen Opportunity for Financial Compensation to Breach Victims
3. Why an Employer Group Has to Be HIPAA Compliant

Endnotes

1. Total HIPAA has excerpted significant portions of the article “HIPAA Compliance: Self-Insured Company Reports Breach”, October 20, 2017. The author is Marianne Kolbasuk McGee, Executive Editor, HealthcareInfoSecurity
2. Total HIPAA has excerpted significant portions of the article “Employees Sue Home Health Provider After Phishing Breach”, October 19, 2017. The author is Marianne Kolbasuk McGee, Executive Editor, HealthcareInfoSecurity
3. “OCR Slaps Home Health Provider with Penalty” – HealthcareInfoSecurity

Sharing is caring!