CDPH fines Lucile Packard Children's Hospital for delayed breach notification
|
Date Reported:
9/9/10
Organization:
Stanford University Medical Center
Contractor/Consultant/Branch:
Lucile Packard Children’s Hospital
Location:
Victims:
Patients
Number Affected:
532
Types of Data:
"names, date of birth, medical record numbers, diagnoses, procedures, insurance information and/or social security numbers"
Breach Description:
The California Department of Public Health (CDPH) has levied a $250,000 fine against Lucile Packard Children’s Hospital at Stanford for what CDPH believes was a late reporting of a breach involving the employee theft of a desktop computer containing patient medical records.
Reference URL:
Lucile Packard Children's Hospital News Release
HealthLeaders Media
Report Credit:
Lucile Packard Children’s Hospital
Response:
From the online sources cited above:
PALO ALTO, Calif. -- Lucile Packard Children’s Hospital at Stanford is appealing a California Department of Public Health (CDPH) penalty.
The CDPH on April 23, 2010, after the self-reporting of a security incident by Packard Children’s, alerted the hospital that a fine of $250,000 was being levied as a result of what CDPH believes was a late reporting of the incident.
This isolated incident was related to the apparent theft earlier in the year of a password-protected desktop computer that contained information about 532 patients.
The computer in question was used by an employee whose job required access to patient information.
Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home.
[Evan] So go to his/her home and get it back! Probably not that easy, is it? Just because this employee's job required access to patient information does not mean that he/she required access to all of a patient's information, and it also does not mean that he/she should be allowed to store it on their workstation.
The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.
As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients.
[Evan] I wonder why the computer is "not recoverable".
The hospital also provided to the families identity theft protection and other support services.
Theft charges have been filed against the former employee.
Packard Children’s believes that there has been no unauthorized or inappropriate access to the information on the computer.
“We use very sophisticated tools to conduct investigations such as this,” said Ed Kopetsky, chief information officer at Packard Children’s. “We are able to detect if the missing computer connects to a network that has access to the Internet and we’ve been monitoring this activity regularly to determine if this computer has been online anywhere. It has not.”
[Evan] Would these "sophisticated tools" detect if a person took the hard drive out of this computer and installed it as a slave drive on another computer? Would these "sophisticated tools" detect that a person turned the computer on if it weren't connected to an Internet-accessible network? Would these "sophisticated tools" prevent access or just detect access in the event that this computer were connected to an Internet-accessible network? We don't need "sophisticated tools". What we need is good information security basic sense.
"This theft was very unfortunate," said Susan Flanagan, RN, chief operating officer. "We hold ourselves to the highest standards in taking care of the children we treat, and we are committed to providing the best care possible and to protecting our children's privacy. The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today.”
[Evan] Advanced technologies don't do squat if they aren't supported by good basic practices.
CDPH fined the hospital $250,000 for allegedly reporting the incident 11 days late.
[Evan] Wow, CDPH means business! In general, people (legislators, regulators, customers, partners, stakeholders, etc.) are losing patience with organizations that fail to adequately protect sensitive information.
“We believe our communication to CDPH was appropriate and we are appealing the late fee,” said Flanagan.
“Lucile Packard Children’s Hospital is proud to have some of the industry’s strongest policies and controls in place for patient privacy protection,” added Kopetsky. “Even though we believe that no patient information was compromised and no patients were harmed, we are using this incident to further tighten our security and provide additional education to our staff.”
[Evan] How many times have I heard an organization say that they are proud of their information security only to find significant failures in protection, detection, and/or correction practices?
CDPH has yet to set a date for a ruling on the hospital’s appeal.
State officials on Thursday released a document, called a "2567," summarizing the results of the state's investigation of the Lucile Packard incident.
"Based on interviews and record review, the hospital failed to notify a privacy breach of patients' protected health information (PHI) to 532 patients within five days after the hospital confirmed the breach on 2/1/10. The hospital failed to send notifications to the patients until 2/19/10."
"The confidential data included names, date of birth, medical record numbers, diagnoses, procedures, insurance information and/or social security numbers."
"The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today."
[Evan] More pride.
Added Ed Kopetsky, chief information officer at Packard Children’s, "Even though the investigation revealed that no patients were harmed and apparently no patient information was compromised, we are using this incident to further tighten our security and provide additional education to our staff."
[Evan] Wait a second. No patient information was compromised? If they can state this as fact, then why do they have to notify anyone or pay any fines?
Commentary:
According to the comments from the hospital, it seems as though they are using the best, strongest, and most advanced information security controls available to man. Let's say for a second that this is true. This leads me to a point actually. Information is never "secure" and is always susceptible to a breach. We (us information security professionals) assess, design, implement, manage, and improve controls to limit risk. Back to the hospital's information security program now. There are a couple of things that the hospital could have done better at in order to reduce risk in this situation:
- Physical security. How is an employee permitted to take a desktop computer home with him/her without prior approval/authorization?
- Encryption. Why is confidential information stored on a desktop computer without encryption? I suppose the employee would probably have the decryption key though. Bummer.
- Logical security. Why is confidential information allowed to be stored on a desktop computer, especially one that may not be physically secure (see #1).
So I ramble. What's new?
Past Breaches:
Unknown
Posted by Evan Francen at 9/13/2010 3:46 PM 
Categories: Stolen Computer, Stanford University Medical Center, Lucile Packard Children's Hospital
Categories: Stolen Computer, Stanford University Medical Center, Lucile Packard Children's Hospital
Posts Atom 1.0
Comments