After reporting a data breach that exposed the protected health information (PHI) of its users, a California healthcare startup said it will close at the end of May 2022.
The company, which provides chronic care management and remote monitoring services, filed a data breach notice with California’s Attorney General’s (AG) office. According to the notice, in March 2022, they had discovered a breach in which an unauthorized individual accessed the company’s PHI. The accessed data included patients’ demographic, health, and financial information, including names, phone numbers, dates of birth, medical histories, diagnoses, treatments, lab test results, prescriptions, and health insurance information.
In the data breach notice, the company stated that the decision to close the business was “unrelated to the data security incident.” The company did not provide an explanation as to why the decision was made to close the business.
The company began notifying patients of the data breach on April 29, 2022, which was the same date as the data breach notification to the AG. The notification occurred more than seven weeks after the breach was first discovered.
Issue:
Nursing facility leaders and the Privacy Officer must collaborate with their IT department to ensure that the sensitive data that is housed within their computer systems is protected. All staff who have access to the company’s computer network should be trained on best practices in preventing data breaches and what they must do to assist in the prevention of these breaches. The privacy officer, or another member of the healthcare team, must be knowledgeable in what to do if a data breach is discovered. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6 Data Integrity.
Discussion Points:
- Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices in preventing data breaches.
- Train all appropriate staff on best practices to prevent, identify, and report data breaches. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing data breaches, and ask if they are aware of any concerns or potential issues.