Healthcare Compliance Perspective – HIPAA Protection:
What should a healthcare provider do when circumstances beyond its control delays its awareness of a breach of privacy involving the private health information of its patients? The healthcare provider’s breach notification policy and procedures must be implemented as soon as the breach is discovered by the healthcare provider or notification of the breach is provided to the healthcare provider by a third-party contractor. The healthcare provider must review the entire timeframe during which it was unaware of the breach and evaluate whether there were any other efforts that could have been made to become aware of the breach.
Nuance, a speech recognition software firm in Massachusetts, recently announced that a breach of its servers by a former employee resulted in an unauthorized access affecting 45,000 individuals associated with its clients.
The breach was discovered in December 2017; but, at the request of the FBI and the U.S. Department of Justice, the company delayed notifying affected persons about the breach. The two federal agencies wanted that notification delayed because of their pending investigation of the breach. Their investigation uncovered the identity of the person responsible for the breach and the recovery of some accessed reports.
The information accessed by the former employee included names, birthdates, medical record and patient numbers and other information that was dictated about patients’ conditions, diagnosis, treatments, care plans and service dates.
Nuance reported that the San Francisco Department of Health is the only one of its clients that has notified its affected patients. Nuance also reported that it has made all of its affected clients aware of the breach and has relocated those clients onto another transcription platform.
Interestingly, the data breach was not the first problem that Nuance experienced last year. Last June, the company was infected by the NotPetya malware outbreak and cost the company $92 million. The malware infection did not involve a data breach.
It was noted that breaches involving company insiders are one of the most difficult to defend against. One thing that might have prevented this breach would have been to lock out and block any ex-employees access to the company’s systems as soon as they leave a company’s employ. It is not known whether this was a contributing factor in this breach.