The HHS fine-hammer has come down on another organization. This time the target was The Massachusetts Eye and Ear Infirmary, relating to a healthcare data breach they had earlier this year effecting 3,621 records. After reading the HHS release on the fine and data breach, you can start to see the pattern that is emerging from these fines. Like the HHS fine in Phoenix, Tennessee, and on Cignet, they aren’t targeting organizations for a single failure or event. Rather, they are targeting those institutions that show chronic privacy and security failures. Both organizations either didn’t try very hard, or just didn’t care. HHS explains the MEEI failures:
“…such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.”
This is a pretty damning statement and would/should cause a privacy concern for any MEEI patients. Some data breaches are preventable, some data breaches are just going to happen. Plugging your ears, burying your head in the sand, or just plan ignorance? Expect the HHS to be knocking at your door.