TRENDING:

The Field Report with Tom Field

The High Price of Non-Compliance

Healthcare Organizations Learn Expensive Lessons About HIPAA, HITECH Tom Field (SecurityEditor) • July 8, 2011    

We all know the cost of regulatory compliance - how expensive it can be to meet the standards of the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act and other industry guidelines.

But two organizations this week learned hard lessons about the cost of non-compliance.

Health insurer WellPoint Inc. settled with the Indiana Attorney General's office over a delayed notification of a consumer data breach that affected the records of 32,051 people.

Under terms of the settlement, WellPoint will pay the state $100,000 for an incident, which exposed data that included social security numbers, financial information and health records. In addition to the fine, WellPoint must provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach, as well as offer reimbursement to any WellPoint consumer of up to $50,000 for any losses that result from identity theft due to the breach.

Meanwhile, the University of California at Los Angeles Health System has agreed to pay a fine of $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with the HIPAA's Privacy and Security Rules. This after complaints that employees were snooping into celebrity patients' health records.

In addition to the fine, UCLAHS has agreed to review, revise and maintain, as necessary, existing policies and procedures and develop written policies and procedures that comply with federal standards that govern the privacy of individually identifiable health information.

The non-compliant organizations are saying all the right things in the wake of their penalties. "Our patients' health, privacy and well-being are of paramount importance to us," says Dr. David T. Feinberg, CEO of UCLAHS. But the contrition would have been totally unwarranted if the groups had just been compliant from the start.

These cases show not just the serious consequences of non-compliance, but also how serious the regulatory bodies are about enforcing their rules. And making public examples of those who break them. Nothing encourages compliance better than seeing an organization's reputation strapped into the PR stockade.

In other notable news this week:

  • Executive Editor Eric Chabrow spoke with RSA's new CSO Eddie Schwartz about life after the organization's stunning data breach;
  • And Contributing Editor Upasana Gupta blogs about the murky question of whether security organizations should even consider hiring staffers who have histories as hackers.
Be sure to visit HealthcareInfoSecurity for all the latest news and views on the issues that matter most to healthcare/security leaders.


About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.




Around the Network

Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.