News Feature | July 16, 2013

Kardashian Data Breach Highlights PHI Risks

Source: Health IT Outcomes
John Headshot cropped 500 px wide

By John Oncea, Editor

The announcement that 14 patient medical records were “inappropriately accessed” – possibly including those of Kim Kardashian – underscores the importance of HIPAA compliance as well as the vulnerability of hospitals

Cedars-Sinai Medical Center announced that 14 patient medical records were “inappropriately accessed” between June 18 and 24 and, as a result, five workers and a student research assistant have all been fired. This according to the Los Angeles Times, which also reports, “Reality television star Kim Kardashian gave birth to her daughter with rapper Kanye West at the hospital on June 15. A hospital spokeswoman declined to identify the patients whose records were accessed but said that all patients involved had been notified of the breach.”

While Cedars-Sinai will neither confirm nor deny if Kardashian’s records were among those violated, it did say patients involved were alerted. Representatives of the reality star did not respond to requests for comments, according to the Times. TMZ did report, however, Kardasihan “was contacted by the hospital to let her know she was one of the patients who had her records accessed.” It cited sources who said, “The family suspected that information was leaking from the hospital after various media reports surfaced with certain information about the birth of her daughter North that she hadn't told anyone.”

The Huffington Post notes “Four of those fired were employees of community physicians who have staff privileges at the hospital,” and, “Three physicians violated hospital policy by giving underlings their hospital log-on, information that was abused to access confidential patient records.”

Breaches in security in Los Angeles hospitals are not uncommon, according to The Washington Post which highlights other instances, including:

  • Maria Shriver, whose records were breached along with other celebrities at UCLA Medical Center. This lead then-Gov. Arnold Schwarzenegger to sign a law fining health facilities for such violations.
  • A 2009 case against a former UCLA Medical Center employee which was dismissed because she died of cancer after selling medical records of celebrities.
  • The case of Lawanda Jackson, 50, who had pleaded guilty to the felony charge of violating federal medical privacy law for commercial purposes after she sold information from the records of Britney Spears, Farrah Fawcett, and other high-profile patients to the National Enquirer.

Steve Marco writes that the Cedars-Sinai breach serves as a “great example of how hospitals and clinics can protect the organization from inappropriate actions of its staff” on a blog post for Modern Compliance Solutions. Marco says the “case provides a shining example of how requiring unique user IDs for all EMR/EHR/ePHI system access so that a review of logs can be performed to review system activity.” He also suggests “The staff was no doubt fired under the organization’s Personnel Sanction Policy, and the Hospital can prove due diligence in responding to this security violation.”

Marco also opines that as a result of having the appropriate controls in place Cedars-Sinai is positioned to defend itself should a suit be filed for disclosing Protected Health Information (PHI) or if an HHS Patient Complaint were posted under HIPAA. Marco concludes, “Without the appropriate controls in place, the Hospital could be found negligent and host to Civil Monetary Penalties and potential small-stakes lawsuits.”

This breach is just one of many since the U.S. Department of Health and Human Services (HHS) strengthened the privacy and security protections for health information established under HIPAA in January.  “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” HHS Office for Civil Rights Director Leon Rodriguez is quoted as saying in the release announcing the changes.  “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

HHS had announced two weeks prior the “first settlement involving a breach of unsecured electronic protected health information (ePHI) affecting fewer than 500 individuals” when Hospice of North Idaho (HONI) agreed to pay $50,000 to settle potential HIPAA violations. The HONI fine was levied as a result of an unencrypted laptop computer containing the ePHI of 441 patients that had been stolen in June 2010.