A recent report indicates that nearly 500,000 individual health records were breached in September 2017. This figure is taken from the 39 healthcare data breaches involving more than 500 records that were reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017.  Healthcare providers suffered the most breaches with 27 reported incidents, followed by health plans with 10 breaches, and 2 breaches reported by business associates of covered entities.  This demonstrates the need for security measures by both HIPAA Covered Entities and Business Associates.

The way the health records were accessed is notable. The biggest cause of the breaches was unauthorized access/disclosures (18 breaches), closely followed by hacking and IT incidents (17 breaches).  This data about breaches reported in September shows the importance of taking proactive steps to ensure data security.  With unauthorized access and disclosure continuing to be a leading cause of data breaches, organizations should consider focusing on potential sources of such unauthorized access and disclosure as they conduct the risk assessments required by HIPAA.

The report also notes that email was involved in many of the breaches reported to HHS in September, finding that there were 13 email-related breaches, including a healthcare employee who emailed PHI to a relative to receive assistance with a work-related action. While that case apparently involved intentional misconduct by a healthcare employee, it raises questions that are instructive for organizations across all industries dealing with sensitive data:

  • Does the organization have clear policies regarding appropriate access to and disclosure of protected information?
  • Does the organization provide training for new employees on information security?
  • Does the organization provide refresher training for employees on information security?
  • Does the organization’s email policy address information security?
  • Has the organization reviewed its email system as part of its risk assessment?
  • Does the organization coordinate enforcement of its information security policies with its corrective action policies?

Another important lesson from these September data breach reports is that hacking continues to be a very real risk. Six of the top ten breaches in September were the result of hacking/IT incidents resulting in the exposure of 363,364 records – 76.81% of the records exposed in all reported breaches in September.  The continuing risk from cyberattacks highlights the need for ongoing security audits, employee training, and table top exercises.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael R. Bertoncini Michael R. Bertoncini

Michael R. Bertoncini is a Principal in the Boston, Massachusetts, office of Jackson Lewis P.C. He practices labor and employment law, with a particular emphasis on labor relations, employment law counseling and litigation, and data privacy and security law.

In labor relations matters…

Michael R. Bertoncini is a Principal in the Boston, Massachusetts, office of Jackson Lewis P.C. He practices labor and employment law, with a particular emphasis on labor relations, employment law counseling and litigation, and data privacy and security law.

In labor relations matters, he regularly counsels clients on the practice of positive employee relations, negotiates collective bargaining agreements on behalf of organized clients, represents clients in labor arbitrations and National Labor Relations Board proceedings, and counsels clients with respect to rights and obligations under collective bargaining agreements and applicable labor and employment laws. He also has extensive experience in advising organizations responding to corporate campaigns and negotiating neutrality agreements.

Mr. Bertoncini’s privacy and data security practice focuses on advising clients on complying with HIPAA and other state and federal privacy and data security laws. He regularly reviews and develops policies and procedures, written information security plans and integrated compliance programs to assist clients in meeting their obligations under privacy and data security laws. Mr. Bertoncini has represented clients in investigations of alleged data breaches and advises them on their reporting obligations in the event of a data breach. He also conducts workplace training programs on HIPAA compliance and related privacy and data security topics.

Before joining Jackson Lewis, Mr. Bertoncini was Deputy General Counsel for a hospital system that is the largest fully integrated community care organization in New England. He was responsible for all of the system’s labor and employment law matters, and was involved in its acquisition by a private equity firm as well as its growth from six to ten hospitals in a twelve-month period. His three years as in-house counsel for this large health care system give Mr. Bertoncini a keen understanding of the impact of labor and employment law issues on clients’ business operations.

In addition to his labor relations and privacy experience, Mr. Bertoncini has extensive experience in conducting internal investigations and counseling clients on whistleblower and retaliation matters, as well as negotiating executive agreements, both employment and separation agreements. Mr. Bertoncini also represents clients in the litigation of employment matters. His litigation experience includes matters before federal and state courts and administrative agencies. He has appeared before United States Courts of Appeals and District Courts, Massachusetts and New York state courts, the Equal Employment Opportunity Commission, and the Massachusetts Commission Against Discrimination.

Mr. Bertoncini is a frequent speaker and trainer on labor and employment law topics for various organizations including Massachusetts Continuing Legal Education, Council on Education in Management, Lorman Education Services, the Boston Bar Association, and several chambers of commerce.

While attending Boston College, he received the John A. McCarthy, SJ Award for the most distinguished Scholar of the College thesis.