Proofpoint HIPAA Breach Report:

(1)

Healthcare Industry Update

Proofpoint HIPAA Breach Report:

(2)

HIPAA Breach Report ...3

Overall Figures ... 3

Legal Environment ...4

HIPAA Breaches By Location ...4

HIPAA Breaches By Type ... 5

HIPAA Breaches By State ...6

Notable HIPAA Breaches ...7

Blue Cross Blue Shield of Tennessee (BCBST) – $18.5 million ... 7

Cignet Health – $4.3 million ...8

CVS Caremark – $2.25 million ...9

State of Alaska – $1.7 million ...9

Massachusetts Eye and Ear Infirmary – $1.5 million ...10

RiteAid – $1 million ... 11

South Shore Hospital – $750,000 ... 11

TRICARE Management Activity – $4.9 billion* ...12

Sutter Medical Foundation – $944 million – $4.25 billion* ...12

(3)

HIPAA Breach Report

Proofpoint monitors a variety of security-related activities and provides Industry Updates for

several areas. This report covers HIPAA breaches of 500 and greater individuals as reported to

and published by the US Department of Health and Human Services (HHS).

This report breaks down the breaches by number of incidents, individuals, type of breach,

location of breach, and by state. Additionally, it provides a description of notable breaches

including settlement costs.

Proofpoint, a strong proponent of security and privacy, provides this information to help

organizations and individuals stay aware of the current state of healthcare information

governance with regards to Protected Health Information (PHI).

Overall Figures

Since 2009, 585 individual HIPAA security breaches have been posted for breaches covering

over 500 individuals. Additionally, the breaches are spread over 49 US states and territories,

covering 46 states. The states of Hawaii, Maine, South Dakota and Vermont are the only

states without a registered breach.

A number of breaches have existed for an extended period of time, the longest of which was

a breach at Duke University where their system was compromised from 2004 to 2012. For

breaches where the system was compromised for an extended period of time, 250 days was

the average length of compromise.

This Proofpoint report also covers the length of time it takes to post a breach from the time

the breach occurred. Of the 443 breaches where the notification to the public occurred after

the breach, the average length of time to post was 142 days. The maximum time to post is 9.8

years that was also the Duke University incident.

1_{The source data for this document is provided by the US Department of Health and Human Services and available at} http://www.hhs.gov.

Figure 1. Overall HIPAA Reported Breach Figures

Overall Figures

Approximate Number of Individuals Compromised 21,784,290

Number of Breaches 585

States with Recorded Breaches 46

Figure 2. Extended Breach Figures

Extended Breach

Number of Extended Breaches 57

Average Length of Extended Breaches 250 days

Maximum Length of Extended Breach 9.4 years

Figure 3. Notification Delay Figures

Notification Delay

Number of Breaches with Delayed Notification 443

Average Length of Delayed Notification 142 days

Maximum Length of Delayed Notification 9.8 years

Healthcare Data Breaches At

A Glance

1

$7 billion loss estimate across

healthcare industry due to

privacy breaches

94% of healthcare

organiza-tions have had at least one data

breach within the last two years

$2.4 million average economic

impact per breach in 2012, with

an increase of almost $400,000

since 2010

61% of healthcare staff believes

data breaches will lead to

financial identity theft

18% of healthcare organizations

report actual medical identity

theft as a result of data breach

1_{Ponemon Institute LLC, Third Annual} Benchmark Study on Patient Privacy & Data Security. December 2012

(4)

Legal Environment

In addition to the increasingly public nature of security breaches, there has been an increase in

lawsuits. A number of lawsuits seek $1,000 per compromised individual, resulting in damages

figures into the billions of dollars for breaches involving over a million individuals. Billion

dollar lawsuits have occurred in two incidents and are tracked in Section 2 of this update.

HIPAA Breaches By Location

The most common form of breach is through the theft or loss of backup tapes and disks,

followed by EMR systems and computer systems. However, adding the various breaches

attributed to computers (Network Server, Computer, Laptop, and Portable Electronic Device),

this figure reaches 39%, a figure greater than both Backup Tapes and EMR systems.

With lawsuits seeking $1,000 per compromised patient, it becomes evident that these areas

are potentially financially risky a 5 million patient compromise resulting in a $5 billion lawsuit.

Figure 5. Number of Patients Compromised by Location

Figure 4. Lawsuit Overview

Organization Individuals Compromised Damages Sought

TRICARE 4,901,432 $4.9 billion

(5)

HIPAA Breaches By Type

Data breaches involving electronic PHI (ePHI) occur through a variety of means. The largest

number of records and most number of breaches occur due to improper security of ePHI

resulting in theft, loss, hacking and unauthorized access. This is evident in both the number of

patients exposed per type and also by the number of losses per type as shown below.

Figure 6. Number of Patients Compromised by Type

(6)

HIPAA Breaches By State

HIPAA Breaches have occurred in 29 US States and Territories. Of the 50 states, only Hawaii,

Maine, South Dakota, and Vermont have not experienced any breaches. By number of

individuals affected, the top 10 states, represent 19 million people or 87% of all individuals

affected.

With breaches across 46 of the 50 states, it appears breaches are not targeted towards any

individual state; however, certain states have historically had more breaches.

Figure 8. Affected Individuals And Number of Breaches for Top 10 States

The affected individuals in the top two states represent a significant portion of those states’

populations.

Figure 9. Affected Individual Equivalents for Top States

States of Note Breaches in Context

Virginia The affected individuals in the top two states represent a significant portion of those states’ populations.

California The nearly 4 million people affected are equivalent to a number greater than everyone living in Los Angeles.

(7)

Notable HIPAA Breaches

HIPAA breaches are becoming more costly with the passage of the HITECH Act with

settlement and remediation costs in the millions and class-action lawsuits seeking billions

of dollars. Under calculations by the US Department of Health and Human Services (HHS)

Office of Civil Rights (OCR), penalties can reach $50,000 per day, having easily reached the

$1.5 million per year limit stipulated by HITECH.

This section provides case studies for select HIPAA breaches so healthcare practitioners can

get up to date information on compliance and remediation costs and approaches.

Of note, some patients have initiated class-action lawsuits seeking $1,000 per affected

member with aggregate damages sought reaching into billions of dollars. With the

importance of data privacy and identity theft, organizations should take steps to prevent

breaches or be prepared to face these types of lawsuits if a breach does occur.

Blue Cross Blue Shield of Tennessee (BCBST) – $18.5 million

Breach Information: Blue Cross Blue Shield of Tennessee

Covered Entity Blue Cross Blue Shield of Tennessee

Individuals Affected 1 million

Event HIPAA Security Rule breach

Breach Cost $18.5 million total

• $1.5 million: HHS civil money penalty (CMP) • $11 million: customer alerts and HIPAA compliance • $6 million: encrypt data 885 terabytes of data

Breach Type Theft of 57 unencrypted hard drives consisting of demographic information, Social Security numbers, diagnosis codes and health plan identification numbers.

Breach Date October 2, 2009

Summary In 2009, 57 hard drives with ePHI was stolen from BCBST with information for 1 million patients. This resulted in a cost of $18.5 million with $11.5 million being associated with handling the single theft event. Additionally, more than $6 million and 5,000 man-hours of effort were spent to encrypt data at-rest totaling 885 terabytes to ensure this type of breach does not

(8)

Cignet Health – $4.3 million

Breach Information: Cignet Health

Covered Entity Cignet Health of Prince George’s County, MD

Individuals Affected 41

Event HIPAA Privacy Rule breach

Breach Cost $4.3 million total – HITECH 134109(d)

• $1,351,600 HIPAA civil money penalty (CMP) • $3.0 million fine for willful neglect and failure to

cooperate with HHS Office of Civil Rights (OCR)

Breach Type Refusal to provide access to medical records for 41 patients and the HHS OCR

Breach Date September 2008 – October 2009

Summary 41 patients had requested access to medical records from September 2008 to October 2009. Covered entities are required to respond within 30 days and no later than 60 days. Cignet did not respond which resulted in a CMP of $1.3 million. During OCR investigations, Cignet allegedly refused to respond to OCR investigations that ran from March 17, 2009 to April 7, 2010, including failure to respond to a court ordered subpoena. OCR was able to obtain a default judgment against Cignet in United States District Court and added a $3.0 million fine for willful neglect of the HIPAA Privacy Rule, resulting in a total fine of $4,351,600.

The $1,351,600 base CMP was the minimum HIPAA fine and calculated using $100 / day for 13,516 penalty days during which Cignet ignored patient requests.

The $3 million willful negligence penalty was calculated at $50,000 per day of non-compliance with the OCR investigation resulting in a $242 million fine for the 4,859 patient days in 2009 and 2,619 patient days in 2010. The penalty was reduced to $3 million or the $1.5 million per year allowed under the HITECH Act.

(9)

CVS Caremark – $2.25 million

State of Alaska – $1.7 million

Breach Information: CVS Caremark Corp.

Covered Entity CVS Caremark Corp.

Breach Cost $2.25 million

Breach Type Improper disposal of PHI in unsecure dumpsters that were accessible by the public.

Breach Date August 13, 2012

Summary The HHS OCR and Federal Trade Commission (FTC) investigated CVS after media reports alleged that PHI was being disposed of in unsecure dumpsters. The investigation found that CVS failed to implement proper policies, procedures, and training for employees to properly recognize and securely dispose of PHI. In addition to the $2.25 million CMP, the Corrective Action Plan requires updated disposal procedures, sanctioning of non-com-pliant workers, and a 3 year period during which CVS is required to send compliance reports to OCR.

Breach Information: Alaska Department of Health and Human Services

Covered Entity Alaska Department of Health and Human Services (ADHHS)

Breach Type Theft of USB flash drive containing ePHI from car of ADHSS

Summary An unencrypted flash drive was stolen from the car of an ADHHS IT worker. ADHHS wasn’t certain the device contained PHI, but since it was unencrypted, they reported it to USDHSS OCR. OCR conducted an investigation and found that ADHHS did not have adequate polices and procedures to protect ePHI. Additionally, ADHHS had not conducted and/or implemented a risk analysis, risk management procedures, device and media controls or an ePHI encryption system. OCR issued a $1.7 million CMP fine and a corrective action plan that includes ADHHS to review, revise and maintain policies to stay in compliance with HIPAA. A moni-tor will provide OCR with regular updates on ADHHS progress on HIPAA compliance.

Other Events On September 7, 2010, ADHHS lost ePHI for 2000 individuals due to theft

(10)

Massachusetts Eye and Ear Infirmary – $1.5 million

Breach Information: Massachusetts Eye and Ear Infirmary

Covered Entity Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI)

Individuals Affected 3,621

Event HIPAA Privacy and Security Rule breach

Breach Type Theft of unencrypted laptop including prescriptions and clinical information for 3,621 patients and research subjects

Breach Date February 19, 2010

Summary MEEI reported the theft of an unencrypted laptop containing patient records for 3,621 individuals. As part of its investigation the OCR concluded that MEEI was not:

• performing “a thorough analysis of risk to the confidentiality” of the ePHI stored on the laptop • “adopting and implementing policies and procedures

to restrict access to ePHI to authorized users of portable devices.”

OCR’s investigation found that additional breaches occurred over “an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the Security Rule.” MEEI settled for a $1.5 million CPM fine and agreed to take corrective measures with reporting over 3 years.

Other Events On November 10, 2009 employees improperly accessed patient credit card information including names, addresses and credit card information. Per HIPAA requirements, MEEI notified the affected individuals, the media and HHS. MEEI terminated the involved employees, offered 1 year of free credit card monitor-ing to individuals, revised their safeguards policy, and reviewed processes for credit card payment.

(11)

RiteAid – $1 million

South Shore Hospital – $750,000

Breach Information: RiteAid

Covered Entity RiteAid

Individuals Affected Approximately 2,900

Breach Type Improper disposal of PHI in unsecure dumpsters that were accessible by the public.

Summary A local television station filmed RiteAid employees

dumping patient prescriptions and other PHI in local dumpsters. An investigation by the OCR and FTC followed and confirmed that improper disposal of patient prescriptions was occurring in numerous cities.

Under the settlement, RiteAid has agreed to train its workforce on HIPAA Privacy Rule requirements, monitor its progress internally, and allow an outside monitoring agency to review its progress with respect to the settlement.

The $1 million fine equates to just over $200 per each of RiteAid’s 4,900 stores.

Breach Information: South Shore Hospital

Covered Entity South Shore Hospital

Business Associate Archive Data Solutions (formerly Iron Mountain Data Products, Inc.)

Individuals Affected 800,000

Breach Cost $750,000 million

Breach Type Theft of nearly 500 unencrypted backup tapes.

Breach Date February 25, 2010

Summary The hospital sent nearly 500 unencrypted backup tapes with ePHI in 3 boxes to be erased by Archive Data Solutions after which the tapes went missing. The ePHI included patient names, Social Security numbers, and data for financial, clinical and medical diagnoses. The hospital was able to recover one tape but was fined $750,000, which was reduced by $275,000 for technology investments made after the breach.

(12)

TRICARE Management Activity – $4.9 billion*

Sutter Medical Foundation – $944 million – $4.25 billion*

Breach Information: TRICARE Management Activity

Covered Entity TRICARE Management Activity

Business Associate Science Applications International Corporation (SAIC)

Individuals Affected 4,901,432

Breach Cost $4.9 billion sought in class-action lawsuit, representing $1,000 per individual affected

Breach Type Loss of unencrypted backup tapes possibly containing patient addresses, phone numbers, Social Security numbers and clinical data.

Breach Date September 13, 2011

Summary A computer tape containing ePHI of 4.9 million patients was stolen from the car of an employee of Science Applications Inter-national Corp., a contractor with TRICARE Management Activity. A class-action lawsuit seeking $1,000 per individual was filed by the law firm of Shulman, Rogers, Gandal, Pordy & Ecker of Mary-land on behalf of an Air Force veteran of the first Iraq war and a military spouse. Defendants in the suit are named as TRICARE and Defense Secretary Leon Panetta.

In this instance, TRICARE has declined to provide identity theft protection. By comparison, the Veterans Affairs Department offers credit monitoring services and up to $1 million in annual identity theft protection at a cost of $29.95 per year per veteran. Other covered entities experiencing HIPAA breaches have also offered identity theft protection.

Breach Information: Sutter Medical Foundation

Covered Entity Sutter Medical Foundation

Individuals Affected • 943,434 individuals for clinical data and medical diagnoses

• 3.3 million individuals for demographic data

Breach Cost $750,000 million

Breach Type Theft of computer containing PHI.

Summary Theft of a single computer containing clinical data and medical diagnoses for nearly 1 million patients along with demographic data for more than 3.3 million patients. This breach also affected

(13)

Proofpoint, Inc.

892 Ross Drive, Sunnyvale, CA 94089 Tel: +1 408 517 4710

www.proofpoint.com

Proofpoint HIPAA Breach Report:

Healthcare Industry Update