Lucile Packard Children’s Hospital is no stranger to stolen equipment containing PHI. In January, 2010, they self-reported a breach involving a stolen desktop computer with PHI on 532 patients, and as recently as January, they notified 57,000 patients after a laptop was stolen from a physician’s car. Now the hospital is notifying patients about another breach involving the theft of hardware with unencrypted PHI. From a statement on their web site: Lucile Packard Children’s Hospital at Stanford is notifying patients by mail that a password-protected, non-functional laptop computer that could potentially contain limited medical information on pediatric patients was stolen from a secured, badge-access controlled area of the hospital sometime between May 2 and May 8, 2013. This incident was reported to Packard Children’s on May 8. Immediately following discovery of the theft, Packard Children’s launched an aggressive and ongoing investigation with security and law enforcement. To date, there is no evidence that any pediatric patient data has been accessed by an unauthorized person or otherwise compromised. What medical information was on the laptop? The information that could potentially have been on the stolen computer related to operating room schedules, which the employee accessed as part of her work functions through Packard Children’s secure and encrypted electronic systems. The computer was password protected, but some information could have transferred to the laptop, and the laptop was not encrypted. The computer was outdated and damaged, thus on a schedule for collection by information technologists. The information did not include financial or credit card information, nor did it contain Social Security numbers, insurance numbers or any other marketable information. The information on the operating room schedule that could have transferred to the computer would have been patient names, ages, medical record number, telephone number, scheduled surgical procedure, and name of physicians involved in the procedure over a three-year period beginning in 2009. To date, there is no evidence that any patient data has been accessed by an unauthorized person or otherwise compromised. How many patients were potentially affected? Out of an abundance of caution, we are providing outreach to approximately 12,900 patients, and we are assuring they are notified promptly. When did the notifications begin? Notifications to federal and state regulators, affected individuals and parents, and the media are under way as of June 11. Due to the law enforcement investigation, such notifications were delayed, as permitted by law, to avoid impeding the investigation. How are potentially affected individuals being notified? In addition to the mailed letters, a toll-free phone line has been established to answer questions for those notified. The toll-free number is (855) 683-1168, and is available Monday through Saturday from 6 a.m. to 6 p.m. PST. In addition, potentially affected individuals have been offered the option of free identity protection services. How is the investigation proceeding? So far, efforts to recover the computer have been unsuccessful, but the law enforcement investigation is still ongoing. Lucile Packard Children’s Hospital strives to be an industry leader in the area of medical information security. As a result of this incident, we are taking additional steps to further strengthen our policies and controls surrounding the protection of patient data. News Release http://www.lpch.org/aboutus/news/releases/2013/patient-notification.html
A breach at Lucile Salter Packard Children’s Hospital in 2010 generated a number of posts on this blog – especially after the hospital was reportedly fined $250,000 by California for a delay in notifying patients of the breach. I recently reported that the hospital had settled its appeal with the state and did not have to pay the $250,000 fine, but I didn’t know why or what we could learn from the settlement. Neither the hospital nor the state would give me any statement before I wrote that post. The state subsequently contacted me and said they would issue a statement, which I just received: The original $250,000 penalty posting was an error discovered during the appeal. The correct calculation should have been $100/day times the number of days the facility failed to report the breach to CDPH, for a total penalty of $1100. So after all that – and after all the blog entries and discussions with lawyers about the wisdom of such a steep penalty under the conditions of the breach and the possible constitutionality of California’s law, the fine was just a mistake. And thus endeth this story.
From their press release, issued yesterday: Lucile Packard Children’s Hospital at Stanford and the Stanford University School of Medicine are notifying patients by mail that a password-protected laptop computer containing limited medical information on pediatric patients was stolen from a physician’s car away from campus on the night of January 9, 2013. This incident was reported to Packard Children’s and the School of Medicine on January 10. Immediately following discovery of the theft, Packard Children’s and the School of Medicine launched an aggressive and ongoing investigation with security and law enforcement, and began contacting patients potentially affected. The medical information on the stolen laptop was predominantly from 2009 and related to past care and research. The patient data did not include financial or credit card information, nor did it contain Social Security numbers or any other marketable information. It did include names and dates of birth, basic medical descriptors, and medical record numbers, which are used only by the hospital to identify patients. In some cases, there was limited contact information. There is no indication that any patient information has been accessed or compromised. They also posted an FAQ on their site, which says, in part, that 57,000 patients are being notified. h/t, Mercury News
For Release: September 09, 2010 PALO ALTO, Calif. — Lucile Packard Children’s Hospital at Stanford is appealing a California Department of Public Health (CDPH) penalty. The CDPH on April 23, 2010, after the self-reporting of a security incident by Packard Children’s, alerted the hospital that a fine of $250,000 was being levied as a result of what CDPH believes was a late reporting of the incident. This isolated incident was related to the apparent theft earlier in the year of a password-protected desktop computer that contained information about 532 patients. The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly. As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services. Theft charges have been filed against the former employee. Packard Children’s believes that there has been no unauthorized or inappropriate access to the information on the computer. “We use very sophisticated tools to conduct investigations such as this,” said Ed Kopetsky, chief information officer at Packard Children’s. “We are able to detect if the missing computer connects to a network that has access to the Internet and we’ve been monitoring this activity regularly to determine if this computer has been online anywhere. It has not.” “This theft was very unfortunate,” said Susan Flanagan, RN, chief operating officer. “We hold ourselves to the highest standards in taking care of the children we treat, and we are committed to providing the best care possible and to protecting our children’s privacy. The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today.” CDPH fined the hospital $250,000 for allegedly reporting the incident 11 days late. “We believe our communication to CDPH was appropriate and we are appealing the late fee,” said Flanagan. “Lucile Packard Children’s Hospital is proud to have some of the industry’s strongest policies and controls in place for patient privacy protection,” added Kopetsky. “Even though the investigation revealed that no patient information was compromised and no patients were harmed, we are using this incident to further tighten our security and provide additional education to our staff.” CDPH has yet to set a date for a ruling on the hospital’s appeal. Hat-tip, FierceHealthcare Updated: Jaikumar Vijayan of Computerworld covers the appeal here. Earlier today, I made some comments to a hospital spokesperson who had responded to a previous blog entry on the fine and also attempted to contact the hospital by e-mail to get additional clarification on some points.
UPDATE: In a statement sent to PHIprivacy.net on March 7, a CDPH spokesperson writes: The original $250,000 penalty posting was an error discovered during the appeal. The correct calculation should have been $100/day times the number of days the facility failed to report the breach to CDPH, for a total penalty of $1100. So after all that, it was just a mistake? Yikes… Original post: A penalty imposed by California on a hospital for failure to notify patients within 5 days was appealed and the case settled, but can we learn anything from the settlement? In March 2010, we first learned of an incident involving a stolen computer with 532 patients’ information at Lucile Salter Packard Children’s Hospital. As more details emerged, we learned that while the incident occurred on January 11, 2010, the hospital had first reported the breach to the state on February 19, 2010, despite the fact that California law governing hospitals requires notification to the state and affected patients within 5 days of detection of unlawful or unauthorized access, use, or disclosure. In April 2010, the state imposed a $250,000 penalty on the hospital for failure to timely notify patients. That amount was the maximum allowable under California’s law. The hospital appealed the penalty. Their case raised a number of questions, including whether a hospital had a legal obligation to notify if it was still investigating a report and trying to determine if there had been unauthorized access to patient information. I uploaded the state’s report and covered some of the resulting controversy over the penalty, including a guest post about the constitutionality of laws and suspected data breaches. And that’s where things stood for quite a while, as whenever I checked back, the appeal was still under consideration. In due course, being well-intentioned but old, I forgot to keep checking. This week, a few remaining neurons kicked into gear, and I learned that the hospital and the state had reached a settlement in September 2011, a copy of which I obtained from the state. Under the terms of the settlement, the hospital paid $1,100.00 for late notification to the state and no penalty for late notification to patients. The settlement, which also included an additional $3,000.00 penalty for settlement of an unrelated privacy breach notification complaint, included a statement: Execution of THIS STIPULATION FOR SETTLEMENT does not constitute any acknowledgement or admission of error, faulty, liability or wrongdoing by either party. Neither the state nor the hospital would comment on the settlement. So where does that leave us on the possible constitutional issues raised? What have we learned about how the state interprets the notification provisions? What should legal counsel for covered entities in California advise their clients going forward should a similar situation arise again, as it may if an employee with authorized access walks out with (possibly steals) a device containing PHI? Does the entity need to notify all patients even if they haven’t yet determined whether the device might still be under the employee’s control and the data have neither been accessed nor used? Your guess is as good as – or better than – mine. There are probably lessons to be learned here about breach response in California, but damned if I know what they are without some explanation from the state. You can access the settlement here (pdf). See what you think. Interestingly, HHS’s investigation of the incident still remains open.
Jason C. Gavejian writes about a hospital breach that is causing waves because of the exorbitant fine the state imposed. Lucile Salter Packard Children’s Hospital at StanfordUniversity was fined $250,000 earlier this year by the California Department of Public Health (“CDPH”) for an alleged delay in reporting a breach under California’s health information privacy law. What makes this fine particularly disconcerting for health care providers is the relatively small number of patient records which were subject to the breach when compared to the considerable fine imposed. For employers generally, this fine could establish a timing and penalty standard which is examined and utilized by other adminstrative entities. Personally, I think the significant issue/concern is not the number of patients affected (532) but the time issue. The hospital had confirmed that PHI were on the stolen computer by Feb. 1. Under California’s law, the state’s position is that the hospital had five (5) business days from that point to notify both the state and affected patients. The hospital, however, did notify the state or affected patients until February 19 — after it confirmed that it could not recover the computer. CDPH informed the hospital of the fine due to the reporting of the incident 11 days late on April 23, 2010. It is unclear if the fine was tied to a failure to notify the affected individuals or the CDPH. The hospital is appealing the fine asserting its communication to CDPH was appropriate given that no unauthorized or inappropriate access took place to require it to notify affected individuals. As much as I empathize with the hospital, the statute does not appear to be give them wiggle room on this: A clinic, health facility, home health agency, or hospice to which subdivision (a) applies shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the department no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice. Does stealing a computer provide “unlawful access” to the patients’ records? If so, it seems to me that the clock started running on Feb. 1. I understand the hospital’s view and I understand that the stolen computer had software that enabled the hospital to know that it had not been turned on, but there is nothing in the statute that would seemingly toll the deadline for that. CDPH’s report can be found here (pdf). This incident highlights the seriousness of potential data breaches, regardless of size, and the urgency with which these situations must be addressed. It also highlights an often asked question as to whether laptops that go unrecovered would constitute unauthorized access or acqisitiion (sic) of protected information. I think the answer is obvious: if an entity loses control of a device that contains unsecured PHI, it may or may not have been acquired by someone, but if you know it was stolen, then it was acquired. Whether it will ever be accessed or not is another question, but entities need to err on the side of caution and assume the worst and notify promptly. The HIPAA regulations also shed light on this issues stating, “if a computer is lost or stolen, we do not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.” Agreed. Whether the fine should be this steep is another matter, though. I personally think it’s quite harsh. Read Jason C. Gavejian’s full commentary without my interspersed remarks on Workplace Privacy Data Management & Security Report.
HHS has updated its breach tool again. Here are the new additions, starting with the ones we already knew about: Fayetteville VAMC UMASS Amherst Various Health Plans, AL, SynerMed / Inland Valleys IPA (note: 3,164 were affected) Lincoln County Health and Human Services/Lincoln Community Health Center (note: 959 were affected) Lucile Packard Children’s Hospital Palm Beach County Health Department (Note: if this is the same breach reported in the media as going on for a year and affecting 2,800, it’s curious that the county’s report to HHS says 877 were affected and that the breach occurred January 7 of this year.) Gulf Breeze Family Eyecare It seems the only one not covered in the media was one involving Union Security Insurance Company in Missouri that affected 1,127 insured. The breach occurred May 17, and involved “Improper Disposal, E-mail.” I’m not finding anything else on the breach at this time.
There may be a lot of justifiable criticism of Sony in terms of security, but as I’ve commented previously on this blog, I don’t think “delayed notification” when they discovered they were breached was one of their sins. Robert McMillan reports: Sony didn’t show up for last week’s Capitol Hill hearing on its massive data breach, thought to have affected more than 100 million video gamers. But that didn’t stop Representative Mary Bono Mack from laying into the company, along with Epsilon, a marketing company that experienced a similar breach just weeks before. “I am deeply troubled by these latest data breaches and the decision by both Epsilon and Sony not to testify today. This is unacceptable,” said Mack, a California Republican, in her opening remarks. “The single most important question is simply this: Why weren’t Sony’s customers notified sooner about the cyber-attack?” Read more on Computerworld. The expectation of immediate disclosure and notification is not without precedent. Last year, California fined the Lucile Packard Children’s Hospital $250,000 for not complying with a state law that requires certain covered entities to notify both the state and affected individuals within 5 days after determining that they’ve suffered a breach. The hospital appealed the fine, but I have not seen any follow-up as to the results of their appeal. So… what is reasonable in terms of time frame from discovery of a breach and public disclosure? Part of the bad rap Heartland Payment Systems got over their breach was that despite being notified in October or November of 2008 by card issuers that they had been breached, they did not disclose publicly until January 2009. The payment processor stated that although they had been told that they had a problem, they couldn’t find it or confirm it for months despite bringing in various experts to help them. Should they have disclosed in 2008 before they could even confirm they had a breach? If so, what could they have said that would have been of genuine help to those whose card numbers may have been compromised? Wouldn’t the public have been demanding information that they were not yet in a position to provide? I’m a privacy advocate and not a security professional, but I’d like to see the professionals come up with their own recommendations as to what’s reasonable in these situations. If the public and legislators are making demands on entities that aren’t doable, let’s figure out what is.
The following is cross-posted from PHIprivacy.net: In September, I posted an excerpt from a thought-provoking commentary by attorney Benjamin Wright. In discussing a fine levied against Lucile Salter Packard Hospital for late notification under California’s breach notification law, he had written, in part: The California Legislature made clear it wants notices to be issued quickly. However, the law should not be interpreted to require rash decision-making. If the law is interpreted as a hair-trigger requirement for notices before a competent investigation can be concluded, then I question the constitutionality of the law. That interpretation would render the law arbitrary, capricious, unreasonable, in conflict with the need for due process under the US Constitution. At the time, I had a number of questions about his analysis and commentary, and I’m delighted to say that Ben recently got in touch with me and offered to expand on his previous article. The following, then, is a guest article and commentary by Benjamin Wright: ***** On this blog, Dissent published comments about my observations regarding the Lucile Packard Children’s Hospital data breach case in California. I made a constitutional argument that data breach investigations should not be unduly rushed. Dissent expressed confusion about my argument, and has invited me to explain myself here. I stress that I am not passing judgement on the decisions in this particular LPCH case because I don’t know enough of the facts. But I am using the case to make a general point about law and the investigation of suspected data breaches. Background: In the LPCH case one employee alleged that another employee walked out the door with a computer containing sensitive data. The alleged perpetrator otherwise was authorized to use the computer in question and to access the data. LPCH conducted an investigation, which included asking police to attempt to recover the computer. After determining that the computer was unrecoverable, LPCH sent out breach notices on February 19, 2010. The California Department of Public Health said the notices should have gone out more quickly, and therefore fined LPCH. CDPH says that as of February 2, 2010, LPCH had “confirmed” the breach. On my blog, I argued the California breach notice law should not be interpreted to require hair-trigger determinations by data holders on the question of whether a breach has occurred. In other words I argued that a rush to judgment is bad law and unconstitutional. This is what I mean. Just because a data holder suspects that data were accessed wrongfully does not mean that in fact the data were accessed wrongfully. When a suspicion exists, an investigation is required. But the investigation should not be a pell-mell rush to a conclusion, one-way or another, on whether a breach did occur. In my experience, the facts that surface in a data security investigation are often voluminous, messy and confusing. For example, just because one employee makes an allegation about another employee, it does not mean the allegation is true. Getting to the truth often requires time, deliberation, and judgment. Data breach investigations often raise difficult issues of evidence. Rarely does the investigation possess ironclad evidence that a breach has occurred with respect to any particular unit of data. What do I mean by “ironclad” evidence? An example of “ironclad” evidence would be a formal, written affidavit, signed and notarized, stating as follows: “I am Jane Smith. I hereby attest that on June 14, 2010, approximately 2pm Pacific Time, I used a computer on the premises of ABC Hospital and that computer did not belong to me, and I had no right to use the computer in the way I used it. I used that computer to view the name, social security number and postal address of patient John Doe, and I used the computer to exercise dominion over the aforementioned data. I further attest that at the stated time I was not authorized by ABC Hospital, John Doe or any other legal authority to view and exercise dominion over that information.” Now that’s strong evidence for supporting the conclusion that a breach has occurred. In real-world cases, however, the evidence is often voluminous, complex, contradictory and sketchy. It includes flimsy things like allegations by employees who may have conflicts of interest or are otherwise fallible. It includes computer logs that show only little snippets of information that can be interpreted in numerous different ways. To weigh imperfect evidence often requires careful thought, consultation with outside experts, collection of additional evidence that’s hard to get, and a good night’s sleep (and possibly more than one night of sleep). I caution against data holders like LPCH making snap, irrational decisions about whether a breach has or has not happened. In the LPCH case, the hospital maintains that it sent out notices promptly after it had rationally – based on careful, logical review of all the evidence — concluded that a breach had occurred. CDPH, on the other hand, contends that LPCH should have concluded that a breach had occurred much earlier. I don’t know who is right in this case. But here’s my point on constitutionality: The constitution guarantees “due process of law.” That means laws cannot work or be enforced in arbitrary, capricious or unreasonable ways. In other words, public officials like CDPH cannot impose fines on a whim or just because they want to “send a message” to all those institutions that hold data. Further, our legal system has long recognized that the evaluation of evidence takes time. That’s why juries are sent for hours, days or even weeks to deliberate in jury rooms, and why the juries are periodically released so jurors can go home, rest and sleep, even while the jury is still in service. A jury cannot rationally reach a conclusion that a defendant is “guilty” until the jury has deliberated. The California breach notice law requires the sending of notice after it is known that the breach occurred. To “know that a breach has occurred” is to reach a legal conclusion (like the conclusion that a defendant in a […]
In September, I posted an excerpt from a thought-provoking commentary by attorney Benjamin Wright. In discussing a fine levied against Lucile Salter Packard Hospital for late notification under California’s breach notification law, he had written, in part: The California Legislature made clear it wants notices to be issued quickly. However, the law should not be interpreted to require rash decision-making. If the law is interpreted as a hair-trigger requirement for notices before a competent investigation can be concluded, then I question the constitutionality of the law. That interpretation would render the law arbitrary, capricious, unreasonable, in conflict with the need for due process under the US Constitution. At the time, I had a number of questions about his analysis and commentary, and I’m delighted to say that Ben recently got in touch with me and offered to expand on his previous article. The following, then, is a guest article and commentary by Benjamin Wright: ***** On this blog, Dissent published comments about my observations regarding the Lucile Packard Children’s Hospital data breach case in California. I made a constitutional argument that data breach investigations should not be unduly rushed. Dissent expressed confusion about my argument, and has invited me to explain myself here. I stress that I am not passing judgement on the decisions in this particular LPCH case because I don’t know enough of the facts. But I am using the case to make a general point about law and the investigation of suspected data breaches. Background: In the LPCH case one employee alleged that another employee walked out the door with a computer containing sensitive data. The alleged perpetrator otherwise was authorized to use the computer in question and to access the data. LPCH conducted an investigation, which included asking police to attempt to recover the computer. After determining that the computer was unrecoverable, LPCH sent out breach notices on February 19, 2010. The California Department of Public Health said the notices should have gone out more quickly, and therefore fined LPCH. CDPH says that as of February 2, 2010, LPCH had “confirmed” the breach. On my blog, I argued the California breach notice law should not be interpreted to require hair-trigger determinations by data holders on the question of whether a breach has occurred. In other words I argued that a rush to judgment is bad law and unconstitutional.