HealthReach Data Breach in Maine Impacts 100,000+ Patients

Written By

Namrata Sengupta

Published on

September 23rd, 2021

Non-Compliance to HIPAA & Maine Privacy Law

This healthcare data breach is a non-compliance to Maine Privacy law as well as HIPAA rules. It has not just exposed the personal health data but also the financial data of patients. The breached PII data includes financial account number, credit/debit card number, in combination with security code, access code, password or pin for the account. The information that is exposed to risk also include social security numbers (SSN), medical insurance details, birth dates, addresses, names, lab results, treatment records and medical record numbers.

Data Security Incident as reported by “HealthReach Community Health Centers” to the Maine attorney general’s office states that:

“On or about May 7, 2021, HealthReach Community Health Centers was notified that hard drives containing information belonging to HealthReach Community Health Centers’ patients and employees were improperly disposed of by an employee at a third-party data storage facility.”

Over 100,000 Patients Data has been compromised by the Data Breach Incident

This will lead to Legal Penalties, Financial Repercussions, & Damage to Reputation for the HeathReach Community Health Centers.

Legal Penalties:

An event of data breach is detrimental to the organization responsible for data breach as it has to face severe financial penalties, lawsuits and even imprisonment in some cases. The Maine privacy law 2020, focuses on protecting the personal information of customers and PII including SSN, financial and health information. Breach of these sensitive information is considered a punishable offence in the province of Maine. You may read the summarized version of Maine Privacy Law in our article here.

The law prohibits using, divulging, selling, or allowing access to personal data without the customer’s express consent. Maine privacy law obligates organizations to take reasonable measures to safeguard customer personal data from unauthorized access.

Financial Repercussions:

Maine Privacy Law does not explicitly mention the quantum of penalty for non-compliance. Presently, any non-compliance or enforcement of private rights of action will be adjudicated in courts of law.

However, HIPAA non-compliance penalizes the violating organization with massive penalties that can range up to $50,000 per violation for a willful neglect of privacy, security and breach notification rules. The maximum penalty for violation of HIPAA rules can go up to $1.5 million per year. You may refer to the image below citing the various Tier’s that govern HIPAA violation penalties.

Damage to Reputation:

Data breach incident, apart from legal and financial hassles can be detrimental to the reputation and trust of the organization- putting questions on their short and long term sustainability. Years of trust building, customer service and investments on building standards of excellence all go in vain. A single incidence of data breach due to improper disposal of electronic device (hard drives) can cause irreversible damages to any organization that leads to loss of customers, brand equity and image. As the customers are being notified of their data breach by HealthReach Community Health Centers, the affected patients are not likely to engage in any relationship with the health centers and may move to alternate health facilities.

Data Breach Reinforces the Need for Permanent Media Sanitization

Data Breach due to careless disposal of IT assets can cause colossal damage to the organization. However, this improper disposal of devices is preventable and requires a well-planned data destruction policy in place with verifiable audit trails even when disposing IT assets by third party vendor. The organization must make provisions to ensure that every sanitized hardware is being wiped or physically destroyed with records and documented proof of sanitization. Proper care should be taken to ensure that the data in organizational hardware is secured throughout the lifespan of device from acquisition to sanitization.

What Could Have Prevented the Breach?

The fundamental lapse for compromise of patient’s critical data during the data breach incidence that happened on April 7, was the access and careless handling of sensitive data by the third-party vendor and the absence of any documented proof of data destruction. Hence, the selection of authorized vendors that provide certificate of data destruction for complete audit trail is of paramount importance. Also, on-site erasure of data is always safer and recommended to eliminate data leakage when device change hands.

Modern data sanitization tools like BitRaser offer certified and secure solutions that can help any organization to perform on-site media sanitization. Data Erasure sanitizes the device permanently so that no data can be recovered by even specialists in a laboratory. These software provide an immutable certificate and report of erasure for every single sanitized device that can help the organization with a proof of erasure and documented support for auditing purposes. Data erasure software are also recommended to wipe storage media before they are shredded or physically destroyed on-site or at an IT asset disposition facility, to prevent any leakage during movement of hardware and logistical security lapses.

Organizations today need to be cautious and aware of any gaps in data security that could make them vulnerable to attacks and illicit data access.

About The Author

Namrata Sengupta

51 posts

Namrata is a seasoned business leader with a strong background in strategic management, revenue growth, brand building, and nurturing partnerships. She has more than 25 years of experience serving leadership roles in IT / ITES , Telecom & Education industries. In her role as Vice President at Stellar, she has been actively talking about data privacy & erasure solutions through live technology events in the US, Europe & APAC.

HealthReach Data Breach in Maine Impacts over 100,000 Patients

Let’s get started

Submit Enquiry

Stellar Brings to The World Future-Ready Data Solutions