An OCR investigation illustrates the value of investigating small and medium-sized entities

One of the common themes in discussing security is that many organizations are not “mature” yet. And of course, as HIPAA recognizes in its security rule, smaller practices should not be expected to do everything you might expect a larger hospital system to do. But even small or  medium-sized entities need to comply with the core standards.

At the Privacy and Security Forum in D.C. this past week, I had the opportunity to speak briefly with Roger Severino,  the new Director of the Office for Civil Rights at the U.S. Department of Health and Human Services.

Severino comes to the position, he explained, with an enforcement background and orientation. So I took the opportunity to mention that I have yet to see OCR really take enforcement action against entities who never even disclose a breach to OCR or to affected patients. It’s certainly been the case that over the past few years, a freelance security researcher has notified OCR of a number of FTP server leaks, and I’ve notified OCR of a number of leaks or hacks (some involving TheDarkOverlord) that were seemingly never reported to OCR and may never have been disclosed to affected patients.

Severino asked me to send him a batch of information on breaches that were never investigated or have not shown up on their breach tool — or where patients may never have been notified. I will be collaborating with the security researcher to compile a sample list for OCR. Not all of the entities may be covered entities under HIPAA, of course, but I bet you the majority are.

Anyway, I left D.C. encouraged by Severino’s enforcement attitude, and got home to a second pleasant surprise relevant to this topic.  OCR had sent the researcher a letter about the outcome of an investigation they had conducted based on a complaint he sent them in December, 2016. The complaint involved an FTP server that was open to the public because it permitted anonymous login.

As with the Patterson Dental situation that I have reported on in the past,when contacted by OCR, Patients Choice in Texas reportedly told OCR that the researcher had hacked them. It’s not clear whether Patients Choice really understood their leak or if they were just trying to deflect responsibility. In any event, when OCR investigated, they found numerous deficiencies on Patients Choice’s part. By the time OCR closed its investigation more than 18 months later, they had provided substantial information and assistance to help Patients Choice come into compliance with HIPAA and HITECH.

The Complaint

On December 27, 2016, the researcher reported to OCR that in November, 2016 he had found Patients Choice patient data in the form of 1,069 scanned pdf files with protected health information exposed on an FTP server that permitted anonymous login. He also reported to OCR that he had notified Patients Choice by phone and had recorded the notification calls.

OCR reached out to Patients Choice in March, 2017 and thereafter. Patients Choice’s report on HHS’s breach tool is dated in September, 2017.

The Investigation and Findings

As OCR explains it, the Patients Choice report in response to their inquiry indicated possible noncompliance with certain aspects of the privacy and security rules:

The report indicated potential violations of 45 C.F.R. §§ 164.502(a) (Uses and Disclosures of PHI), 164.308(a)(l)(ii)(A) (Risk Analysis), 164.308(a)(l)(ii)(B) (Risk Management Plan), 164.308(a)(7)(ii)(A) (Data Backup Plan), 164.312(a)(2)(iv) (Encryption and Decryption), 164.312(d) (Person or Entity Authentication), 164.312(e)(l) (Transmission Security), 164.404 (Notification to Individuals), 164.406 (Notification to Media), and 164.408 (Notification to Secretary)

That’s a lot of potential violations for OCR to investigate. As their closing letter explains:

By letters dated March 2, 2017, and January 26, 2018, OCR notified Covered Entity of its investigation into this matter.  In its responses to OCR from March 31, 2017 to September 21, 2018, and during a site visit by OCR, Covered Entity provided evidence of its internal investigation concerning the breach incident as well as extensive corrective action it has taken in response to the incident.

The evidence revealed that at the time of the breach incident, Covered Entity’s satellite offices utilized the involved FTP server to send billing documents to Covered Entity’s Billing Department. Covered Entity discovered that a contractor handling multiple hardware issues allowed the FTP server to accept anonymous logins while trouble shooting network errors. The contractor inadvertently failed to disable the anonymous login on the FTP server. Covered Entity ceased using the IT vendor that employed the involved contractor and hired a new IT vendor.

The closing letter (see below) reviews all of the corrective actions Patients Choice subsequently took.  But would they have taken any of these actions if OCR had not contacted them and opened an investigation based on the researcher’s report? I think that the entity would likely have continued to claim that they were hacked, and might have taken significantly different corrective actions. And it’s not clear to me whether OCR or patients would ever have been notified. Why was their notification to OCR dated September, 2017 instead of no later than January, 2017 after the researcher contacted them in November, 2016?  As OCR found, notification was not timely.

In its investigation, OCR also looked at notification to patients, to the media, and to OCR. They found that although Patients Choice had made notifications, the notifications were all untimely, and there were other deficiencies:

Upon review, OCR also noted that Covered Entity’s substitute notice did not include a brief description of the breach, the types of PHI involved in the breach, steps affected individuals should take to protect themselves from potential harm, and a brief description of what Covered Entity is doing to investigate the breach, mitigate the harm, and prevent further breaches. Further, the substitute notice did not include a toll-free number for individuals to contact Covered Entity regarding the breach. OCR, therefore, provided technical assistance to Covered Entity regarding Breach Notification requirements, including timeliness of notifications and requirements for substitute notice. Covered Entity re-educated appropriate workforce members on Breach Notification requirements specified at 45 C.F .R. § § 164.404- 164.408. Covered Entity provided OCR sufficient documentation of the aforementioned re­education.

A lightly redacted copy of OCR’s closing letter is reproduced below this post. I think it reflects OCR’s approach to educating and assisting via enforcement, and that it is a good document to share with medical practices/small groups to show them how OCR applies the standards to small or medium-sized practices. If we want to help more entities mature in their security, we could use more enforcement actions like this one that are then made public so that other small and medium-sized entities can learn from them.

When asked for his reaction to OCR’s actions, the researcher responded,

I am glad OCR investigated this matter and that the covered entity became more educated on HIPAA\HITECH.

I know HHS/OCR has been limited in terms of resources, and that the present environment leans more to deregulation, but these enforcement actions can be a wonderful tool to help more entities understand and comply with regulatory requirements.  I hope to see more of them.



About the author: Dissent

Comments are closed.