HIPAA VIOLATOR INCURS PRISON TERM

A former UCLA School of Medicine researcher became the first person to receive a prison term for merely accessing protected health information (PHI) without authorization. On April 27, 2010, Huping Zhou was sentenced to four months in prison for violating the Health Insurance Portability and Accountability Act (HIPPA). Zhou was accused of accessing more than 320 health records after learning he was being let go. Zhou originally claimed he was unaware that looking at private information was a crime, however, as part of a plea deal, Zhou admitted to accessing patient medical records on four separate occasions without any legitimate reason.

While Zhou was subject to HIPAA as it was in effect in 2003, the Health Information Technology for Economic and Clinical Health Act (HITECH), signed into law on February 17, 2009, has raised the stakes even higher. HITECH increased penalties for obtaining or disclosing PHI “without authorization” and established authority for state attorneys general to enforce civil claims for HIPAA violations. The HITECH provisions and the federal government’s increased focus on privacy issues signal heightened enforcement against HIPAA violators. This case highlights the continued importance of HIPAA compliance programs—including restricting terminated employees’ security access, training employees on the importance of privacy, and notifying employees about penalties for misusing PHI.

DIGITAL COPIERS POSE THREAT OF DATA SECURITY BREACHES

On April 19, 2010, CBS aired a CBS News Report claiming to have uncovered thousands of documents from four previously leased digital copiers selected randomly from a warehouse in New Jersey housing thousands of similar machines. Most digital copiers built since 2002 contain a hard drive which stores an image of documents copied or scanned using the machine. A 2008 survey conducted by Sharpe indicated that 60 percent of Americans did not know that copiers store images on their hard drives. 

CBS investigators used a free and widely available forensic software program to examine the hard drive of a digital copier previously leased by Affinity Health Plan—a New York managed care service.  In less than 12 hours they retrieved 300 pages of personal medical records. On April 5, 2010, triggered by the CBS investigation, Affinity notified more than 400,000 of its former and current employees and members that their personally identifiable information and, in some cases, protected health information may have been left on digital copier hard drives that were no longer under Affinity’s control. Affinity is attempting to reacquire those hard drives and is implementing a program to permanently destroy all data on copier hard drives decommissioned in the future.

FINRA FINES FIRM $375,000 FOR FAILURE TO IMPLEMENT RECOMMENDED SECURITY FIXES; BREACH DISCOVERED ONLY AFTER FIRM RECEIVED BLACKMAIL THREAT 

On April 12, 2010, the Financial Industry Regulatory Authority (FINRA) fined brokerage firm D.A. Davidson $375,000 for failing to protect confidential client information. In December 2007, a group of Latvian hackers accessed approximately 230,000 client records stored in an unencrypted database that was perpetually exposed to the Internet.  After the hackers attempted to blackmail the firm with the records, D.A. Davidson immediately reported the breach to law enforcement officials and helped the Secret Service identify the hackers.

The firm had previously hired security consultants to examine its system and implemented several of their recommendations, but did not implement a recommended intrusion detection system. The breach attempts were recorded in web server logs, however the firm failed to review those logs or take any precautionary steps to become aware of such a breach. In addition to notifying law enforcement officials of the breach, D.A. Davidson provided two years of free credit-monitoring and made a call line available for the roughly 192,000 individual customers affected. Despite the fact that no customers suffered from proven identity theft or damages, FINRA still fined the firm because it failed to implement recommended security precautions prior to the breach. While FINRA is not a government agency, its actions seem in line with the trend towards increased government enforcement of privacy and data protection regulations.

Contact Us

If you have any comments or questions regarding this publication or would like additional information please contact one of the following attorneys:

This alert is a copyrighted publication produced by Oppenheimer Wolff & Donnelly LLP. The information contained in this alert is of a general nature and is subject to change. Readers should not act without further inquiry and/or consultation with legal counsel.