HHS Is The Real Grinch When PHI Is Stolen

Jamie Scott

There seems to have been a recent rash of thefts involving electronically stored health information, including names and social security numbers.  Most stolen health information is taken by stealing the flash drive, laptop or desktop on which the information is stored. It is difficult to tell in these cases whether the target of the theft is the hardware being stolen or the data stored on the hardware. 

July 15, 2013 – Advocate Medical Group in Chicago had 4 desktop computers taken in a burglary that contained the personal information of over 4 million patients. 

July 22, 2013 — A St. Louis orthodontist office was burglarized and company computers were taken with the data for over 10,000 patients.

August 2, 2013 —  A physician practice at the University of Texas Health Science Center at Houston discovers a laptop has been stolen containing data for nearly 600 patients. 

Regardless of the intent of the thief, when a group health plan or health provider is the victim of such a crime, the financial loss from the theft is a minor distraction compared to the damage to the health plan or provider’s reputation and the subsequent financial cost when Health and Human Services (HHS) opens an investigation of the theft. Under the HIPAA breach notification rules, since all of the thefts mentioned above involved unencrypted data and affected more than 500 individuals, they were reported to the local media. The media notifications generated the news stories above. Of greater concern still is that HIPAA requires that the breaches be reported to HHS.

Once reported, HHS is likely to open an investigation, require a corrective action plan with encryption, and propose an “appropriate” financial sanction.  In most cases what HHS deems as appropriate financial sanction seems outrageous.  In my opinion, HHS “has a heart two sizes too small.”  For example, see this case. Most larger cases have been resolved for amounts between one to two million dollars. It is impossible to predict the sanctions that will be imposed for these theft situations, but considering that the breach could have been avoided by simply encrypting the data and the number of participants involved, HHS will be the real Grinch, and not the thief.