The Recent Data breach at Waterville, Maine-based HealthReach Community Health Centers has come to limelight due to its negligence in disposing off the electronic hardware that stored personal data of patients including PII (Personally Identifiable Information) and PHI (Protected Health Information). This data breach episode is being attributed to improper disposal of hard drives containing patient’s data by an employee at a third-party vendor’s storage facility. The incident happened on April 7 this year and the health center was informed of the incident on May 7, 2021. The case was reported and filed with the Maine Attorney General’s office on Sept 9, 2021.
Data security has been largely focusing on preventing cyber security incidents and employing of cybersecurity tools, encryptions, firewalls, antivirus and anti-malware programs, etc. The recent data breach and data security compromise by HealthReach Community Health Centers in Waterville, Maine reflects the other side of the data security, i.e., data theft due to improper disposal of IT assets either during their end-of-life, resale or repurposing.
Non-Compliance to HIPAA & Maine Privacy Law
This healthcare data breach is a non-compliance to Maine Privacy law as well as HIPAA rules. It has not just exposed the personal health data but also the financial data of patients. The breached PII data includes financial account number, credit/debit card number, in combination with security code, access code, password or pin for the account. The information that is exposed to risk also include social security numbers (SSN), medical insurance details, birth dates, addresses, names, lab results, treatment records and medical record numbers.
Data Security Incident as reported by “HealthReach Community Health Centers” to the Maine attorney general’s office states that:
“On or about May 7, 2021, HealthReach Community Health Centers was notified that hard drives containing information belonging to HealthReach Community Health Centers’ patients and employees were improperly disposed of by an employee at a third-party data storage facility.”
Over 100,000 Patients Data has been compromised by the Data Breach Incident
This will lead to Legal Penalties, Financial Repercussions, & Damage to Reputation for the HeathReach Community Health Centers.
Legal Penalties:
An event of data breach is detrimental to the organization responsible for data breach as it has to face severe financial penalties, lawsuits and even imprisonment in some cases. The Maine privacy law 2020, focuses on protecting the personal information of customers and PII including SSN, financial and health information. Breach of these sensitive information is considered a punishable offence in the province of Maine. You may read the summarized version of Maine Privacy Law in our article here.
The law prohibits using, divulging, selling, or allowing access to personal data without the customer’s express consent. Maine privacy law obligates organizations to take reasonable measures to safeguard customer personal data from unauthorized access.
Financial Repercussions:
Maine Privacy Law does not explicitly mention the quantum of penalty for non-compliance. Presently, any non-compliance or enforcement of private rights of action will be adjudicated in courts of law.
However, HIPAA non-compliance penalizes the violating organization with massive penalties that can range up to $50,000 per violation for a willful neglect of privacy, security and breach notification rules. The maximum penalty for violation of HIPAA rules can go up to $1.5 million per year. You may refer to the image below citing the various Tier’s that govern HIPAA violation penalties.
Damage to Reputation:
Data breach incident, apart from legal and financial hassles can be detrimental to the reputation and trust of the organization- putting questions on their short and long term sustainability. Years of trust building, customer service and investments on building standards of excellence all go in vain. A single incidence of data breach due to improper disposal of electronic device (hard drives) can cause irreversible damages to any organization that leads to loss of customers, brand equity and image. As the customers are being notified of their data breach by HealthReach Community Health Centers, the affected patients are not likely to engage in any relationship with the health centers and may move to alternate health facilities.
Data Breach Reinforces the Need for Permanent Media Sanitization
Data Breach due to careless disposal of IT assets can cause colossal damage to the organization. However, this improper disposal of devices is preventable and requires a well-planned data destruction policy in place with verifiable audit trails even when disposing IT assets by third party vendor. The organization must make provisions to ensure that every sanitized hardware is being wiped or physically destroyed with records and documented proof of sanitization. Proper care should be taken to ensure that the data in organizational hardware is secured throughout the lifespan of device from acquisition to sanitization.
What Could Have Prevented the Breach?
The fundamental lapse for compromise of patient’s critical data during the data breach incidence that happened on April 7, was the access and careless handling of sensitive data by the third-party vendor and the absence of any documented proof of data destruction. Hence, the selection of authorized vendors that provide certificate of data destruction for complete audit trail is of paramount importance. Also, on-site erasure of data is always safer and recommended to eliminate data leakage when device change hands.
Modern data sanitization tools like BitRaser offer certified and secure solutions that can help any organization to perform on-site media sanitization. Data Erasure sanitizes the device permanently so that no data can be recovered by even specialists in a laboratory. These software provide an immutable certificate and report of erasure for every single sanitized device that can help the organization with a proof of erasure and documented support for auditing purposes. Data erasure software are also recommended to wipe storage media before they are shredded or physically destroyed on-site or at an IT asset disposition facility, to prevent any leakage during movement of hardware and logistical security lapses.
Organizations today need to be cautious and aware of any gaps in data security that could make them vulnerable to attacks and illicit data access.
