It’s easy to hear about the HIPAA data breaches; however, the consequences are rarely ever shared. It is important to understand the entire aftermath and how one goes about cleaning up once there has been a data breach.
One man who was involved in a scheme to steal identities from Memphis Neurology as well as car dealerships and people he knew were being charged with felony fraud charges.
As for the financial institutions, the loss surrounding this scheme was somewhere upwards of $1.6 million. It was unknown at the time what kind of harm was done to the bank accounts belonging to all of the patients. The person who was charged allegedly received all the patient information from a former employee of Memphis Neurology.
It’s a disaster regardless of what angle you look at it from. It is also going to cause major issues for the practice.
This begs the question – how did it happen? It is potentially a HIPAA violation of less than 500 patients. However, it may not ever result in a clear answer as to what happened.
There are many unanswered questions that are being asked. This includes looking at:
- Were there HIPAA policies and procedures in place?
- Were all of the policies and procedures followed?
- Was due care issued in terms of providing employee access to patient records?
- Were all employees trained adequately?
The practice in Memphis is not the first nor will it be the last practice to encounter such problems. At some point, something went wrong in order for this man to have gotten information on more than 145 patients. There may not have been sufficient policies and procedures in place. They may have been in place, but they weren’t followed. Employee access may not have been identified – for example, it is thought that he got the information from a former employee. At some point, that former employee should have been denied access to patient records – and if they obtain the information after leaving the practice, this is a considerable breach. Further, employees need to receive adequate training.
There is still not enough information about the case to determine where the fault is. It’s possible that the man hacked the system and there is nothing that Memphis Neurology could have done. However, it is more likely that there was a HIPAA data breach that could have been prevented – and this is where there are going to be even bigger problems for the practice.
At this point, the damage has been done. This means that the practice now has to clean everything up, and it’s a mess.
All of the questions about protocol and policies and procedures are going to need to be answered by the practice. The practice has a ready had extreme damage to its reputation. It was all over the news stations and across the newspapers in Memphis. People have probably been talking about it in restaurants and coffee shops.
Patients that had their information stolen may not return. Other patients, whose data remain private, may consider choosing a different practice. It may potentially prevent prospective patients from choosing the practice as well because they don’t want to expose themselves to potential fraud.
This means that the practice is going to have to do their due diligence to improve their reputation. They need to identify what went wrong and fix it so that they can go back to all of their patients and explain what happened and how it has been fixed.
Other practices who have gone through a similar HIPAA data breach need to do the same thing. A damaged reputation can be very difficult to overcome, and part of this is due to the Internet. Once the story breaks, it can quickly be picked up by other news sources and spread around the globe. Any time that a potential patient researches the practice name in Google or any other search engine, they may learn about the data breach.
There is also the $1.6 million to consider. Whoever lost that money is going to want it returned to them. If the practice is found to be negligent against their HIPAA compliance, they may be required to pay the money. There is also going to be legal fees involved with handling the various lawsuits that will come in from the patients. There is also going to be distraction involved from the physicians and the practice administrators.
This can add up to a significant amount of money for the practice to deal with. This means that it would have been better had they simply focused on HIPAA compliance from the very beginning. Many practices simply don’t know just how much they have to clean up if there is a breach, and knowing may help to improve overall compliance levels.