Compliance officers are constantly reminded that their job is never done. That’s because compliance is an ongoing process. Take information security, for example. Just as one problem is fixed, another surfaces. Staying ahead of security risks is a never-ending challenge. MPA is constantly scouring numerous resources for insight into compliance risks.
Testimony in a recent information security case against LabMD has revealed some valuable nuggets of insight. The case involves two separate incidents by which LabMD allegedly exposed the personal information of approximately 10,000 consumers.
One of the incidents involves a LabMD spreadsheet containing insurance billing information that was found on a peer-to-peer network. The spreadsheet contained sensitive personal information on more than 9,000 consumers, according to an FTC statement. In the second incident, police in Sacramento, Calif., found LabMD documents with information on at least 500 consumers in the possession of identity thieves. The information included names, Social Security numbers, and for some, bank account data. While this is an FTC case, time will tell if HIPAA penalties are imposed as well.
Testimony on day one shows that one incident that led to the complaint against LabMD involved a billing manager downloading a file-sharing program called Limewire onto her computer to share music on a peer-to-peer network over the Internet. The problem is that the Limewire program allowed other files, like patient data, to also be shared.
Here's some testimony:
- Judge: This LimeWire program you're talking about, if that had never been downloaded by an employee, would we not be here today?
- FTC attorney: It is likely that we would not know about the defects in LabMD's security practices had we not known that ... the [LabMD] file was on the P2P network.
- Judge: So whatever information got out there in cyberspace was a result of LimeWire?
- FTC attorney: It was a result of the company's security failures that allowed LimeWire to be used by an employee.
The facts revealed in this testimony are great reminders for compliance officers to check to make sure that peer-to-peer downloads onto provider computers are prevented. The facts are also strong rationale for policy and procedure prohibiting downloading programs from the internet without clearance from security officers.
MPA can help you avoid compliance risks that can lead to HIPAA penalties: