Senior Communications Manager
Kirk Nahra Highlights Underlying Security Issues in Health Care Company Breach
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in a HealthcareInfoSecurity.com article about Health Insurance Portability and Accountability Act (HIPAA) compliance issues companies must be aware of, in light of a recent health care company’s breach.
In an unique technology breach story, Premier Healthcare had a stolen laptop returned to them two months after being discovered missing. In Premier’s data breach report, it stated that nearly 206,000 patients’ health care data could have been compromised. Upon return, a forensic analysis showed that the laptop had not been turned on during the stolen period, indicating that health records were not accessed.
“It’s luck that the laptop was returned, and that individuals don’t have to worry about their data because the laptop doesn't appear accessed or even turned on,” said Mr. Nahra.
While the missing laptop was returned, Premier may be under scrutiny by the Department of Health and Human Services' Office for Civil Rights (OCR), mainly because the laptop was not encrypted. “The incident shows that [Premier] potentially has underlying security issues,” Mr. Nahra said. “Premier complied with the HIPAA Breach Notification Rule, but it’s uncertain whether it complied with the HIPAA Security Rule,” he added. According to the article, under the security rule, organizations need to encrypt laptops and other computing and storage devices that are prone to theft or loss, unless they document why an alternative security measure is reasonable and appropriate.
“OCR has a long list of other major breaches to investigate, so it’s a matter of resource allocation on whether they decide to investigate,” Mr. Nahra said.
To read the complete article, please click here.