1 Way Your Healthcare IT (or lack of) Can Cost You Millions of Dollars
OCR (Office for Civil Rights) is the group responsible for enforcing the privacy and security rules as it relates to HIPAA compliance.
2018 was a record-setting year for the OCR with enforcement cases. The last two settlements in 2018 were the result of IT mistakes. These were not the only cases that were the result of IT mistakes but I am using them to highlight a problem.
These cases date back to 2013 and 2015. Cottage Health had two different breaches that caused tens of thousands of ePHI (electronic protected health information) records to be accessible. The cases impacted approximately 33,349 and 11,608 individuals respectively.
In each case, the breach was the result of an error or oversight on the part of IT staff.
In 2013, the breach was the result of the removal of electronic security protection from one of Cottage Health’s servers. This caused patient names, addresses, dates of birth and medical information to be available to anyone outside of Cottage Health with access to the server. Anyone with the server info was able to download the PHI.
In 2015, the breach was caused by the activation of the wrong website on a SQL server. This exposed patient names, address, dates of birth, social security numbers and healthcare information to the internet.
The patient information was accessed hundreds of times by Google, meaning anyone who searched for something related to the PII (Personally Identifiable Information) could have had the patient information returned in the results. For example, if someone John Smith, and he was one of the 51,000 individuals whose information was exposed, his records were potentially returned by Google.
It’s alleged that records were available on Google from 2011 to 2013.
It wasn’t until December 2013 that a man in Arizona discovered the records while doing research on Google notified Cottage Health.
Cottage was running outdated software and failed to apply software patches. It was also discovered that they failed to remove default configurations, failed to use strong passwords and failed to limit access to PII.
Cottage Health also failed to run risk assessment audits.
These are glaring holes in the IT infrastructure. While two individuals were identified as causing the breaches, a failure to have processes and routine audits in place is the real reason these breaches occurred. An audit likely would have discovered the vulnerability and addressed it much sooner.
In total, nearly 51,000 patients had their information exposed because of mistakes by IT. But was it the IT personnel’s fault? That question will probably not get answered but these breaches highlight the need for processes and audits to be in place.
What Did This Cost Cottage Health?
The California Attorney General could have fined Cottage Health $275 million. In the end, it was settled for $2,000,000. While $2,000,000 does not seem like a lot to an insurance carrier it’s also likely there were a lot of new practices, policies and procedures (including audits) put into place along with new personnel.
It’s also likely that there were/are lawsuits from patients who had their PHI exposed.
Finally, the damage to Cottage Health’s reputation might prove to be the costliest penalty of all. This is not easy to measure in dollars but there’s little doubt that they lost customers after these breaches were announced.
Why Am I Writing About This?
It’s true our clients are not huge healthcare providers. We work with smaller practices who aren’t likely to have fines in the millions (though it is possible).
I write about this because all too often I see healthcare practices who have their IT serviced by an IT Service Provider who is not HIPAA compliant and likely has no idea what is or isn’t a HIPAA violation. One mistake by this IT Service Provider could cost a small practice 10s of thousands of dollars, lost income, damaged reputation and possibly business closure.
A few years back we serviced a dental practice in Manhattan. The office had 7 Windows PCs. Every one of the PCs needed Windows updates (some dating back to over a year). 5 of the 7 did not have active malware protection running.
The office network was connected to a wireless router that had an open wireless network running, and still had the default logins on the router. Anyone near the dentist could potentially access patient information because the internal network with the unpatched Windows computers was connected to the same router without a firewall.
Two of us applied updates, performed routine maintenance, and updated/installed malware software but they did not want to update the wireless router, the network or continue with a maintenance plan.
And two of their computers were found to have malicious content. Numerous HIPAA violations and potential vulnerabilities exist at this dentist’s office. I wonder if they’re still in business.
Another practice I see often is a sign in sheet being left in the lobby of a general practitioner. The idea is you place your name and the reason for your visit. This is a clear HIPAA violation. This seems to happen so that the office manager’s job is easier, or they don’t have to talk to patients.
How often have you stood behind another patient checking in and were able to hear the conversation between them and the receptionist? Name, Address, Reason for the visit, etc…
The point I am trying to make is HIPAA violations are still rampant across all medical practices. These violations can be detrimental to the Healthcare Providers existence, and to their patient’s privacy. If you’re taking shortcuts on your Healthcare IT by hiring the cheapest or least experienced IT support you can find you’re doing your Healthcare business, and your patients, a huge disservice. Saving a few dollars now might cost you a lot more down the road. You should do everything possible to ensure your patient’s privacy is protected and your Healthcare business’ reputation remains intact.
Is your Healthcare Provider 100% HIPAA compliant? If you’re not sure have them give us a call or fill out this form.
This is a very dark and complex world that I think I do not even fully understand. In Italy, health works differently, but not for this reason.
This is a deep world confession. I think this aspect of health need to be seen by all
Health care is so different in India, and I am actually grateful for it.
This was such an interesting read. I don’t work in this field, and it was interesting to see how the inner workings of it are handled and how it can go awry.
Healthcare in the US seems like such a nightmare! In France and the UK, healthcare is basically free! Good thing I am insured in the US!
To think that this happening is not good. We need health care and I hate the expenses that come with it.
Healthcare can get so crazy and expensive. I’m glad we have it through the military. It makes sense and we rarely pay out of pocket.
I can never wrap my head around the healthcare system in other countries. I feel very lucky that ours is as it is. It may not be perfect but it won’t leave us in debt.
It is scary what we are dealing with. I had no idea how flawed our healthcare system is.
I can never believe how much data is compromised every day. i guess thats the one problem with technology.
This is such a scary thought, people constantly use their technology and don’t understand how easily it could get hacked. Companies make this mistake as well and forget how important it is to continue to update and patch software in order to avoid any data breaches such as this one. This is why our information is so easily accessed on the dark web. The best we can do is attempt to keep our information sacred and as company owners and savvy tech leaders inform everyone how important it is to treat our technology like we treat our homes. Thanks for the share!
Wow, never even thought about this! I used to work in healthcare and we were constantly drilled on making sure we never violated HIPAA. And I could totally see someone, such as IT, not being aware of this. I really preferred having most of my documents in a locked file cabinet and had issues when everything went digital. It’s scary how easy our information can be thrown out into the internet.
True.. healthcare and insurance are something you wish you have but never have to use.
This is really an interesting post and health care in India is really great. Thanks for sharing.
Healthcare in our country is such a train wreck. Instead of fixing the problems, these “leaders” of our country keep bashing each other and want to rip it apart. It’s such a sad thing.
The patient’s security is a must. People should take action against anyone violating the patient’s details.
This is pretty informative to everyone. I just love to read something like this. Makes me want to question some stuff.
This is a great insight as to why healthcare can be so expensive in the US. I was listening to a presentation over the weekend about the cost pharma companies incur in the production and research of drugs. Maybe, it is time to depend more on natural remedies like garlic rather than these complex, manufactured medications wherever we can to reduce healthcare costs as much as possible.
The health care system is expensive here an I hope to start saving for better health care when I retire.
this is such a complex but important topic to talk about. There are many practices that I think are due an update so they can adequately protect customer data. thanks for sharing!
Healthcare seems so complicated in other countries apart from the UK. It is scary to think that a healthcare provider may not be 100% HIPAA compliant.
That’s definitely a lot of light on the health care system. It is important but also differs so much from country to country.
Thanks for sharing this insightful post. Made me think a lot about how healthcare companies can sabotage our weaknesses.
What a great insight and thank you for providing so much informating how an healthcare insurance really works.
Healthcare is so expensive. It’s ridiculous how companies get away with charing those outrageous fees.
What an insightful post on healthcare!, I didn’t much of this. Thanks for sharing.
Health care almost every where, will really drive you crazy. Getting confined in a hospital may cost you your one year salary. So sad about this fact…😞
Saving that kind of money is nothing to take lightly! Having good and steady IT services makes a business run efficiently.
Such an interesting post. We are lucky that health care is free in the UK.
The United States health care system is a convoluted system. The government tried to remedy this with a health care reform act that still did little to change it on a grand scale. What’s worse is that health care is decided by the insurance industries, so many people still don’t get adequate care even if they have insurance. I wish we’d just do universal health care like they do in Canada.
The healthcare system is so complex and daunting. This is a great informative post. Thanks for sharing!
Health care is such a controversial issue; it would be great if it was affordable for everyone, but that may be wishful thinking in this day and age.
Sad to say that here in our country, Health care is also expensive because of corrupt politicians who won’t prioritize it. This is really interesting and informative.
Healthcare is something that we need to invest. I hope every country has a free health Insurance just like other.
You’re so right! Without the right IT professional, that can really cost a lot to any healthcare provider and even ruin the reputation. This reminds me of an incident when the machine operator performed the wrong surgery on someone. It was super alarming!
This is a very interesting post. I am not in the healthcare field however but thanks for this insight.
I think your post is as important as health itself. IT professionals are essential and lack of understanding of it leads to high losses. It is just takes time to realize
Healthcare in the US is a nightmare. I’m nervous to have to get off of my parents insurance in a couple years – I’m just going to try to stay out of the doctors office lol
Even though we moan about our healthcare – we’re very lucky to have the NHS in the UK
Very interesting post. Always good to stay uptodate on technology to get the best use of it.