The latest horror story about an error made by a business associate. This latest incident involves a transcription service provider making a mistake during a software upgrade for Orlando Orthopedic Center's server in December of 2017. Business Associate's mistake has resulted in the exposure of more than 19,000 patients’ PHI stored on that server from December 2017 until February 2018.
It is unclear if any PHI was accessed by unauthorized individuals during the two month period. Orlando Orthopedic offered credit monitoring and identity theft protection to all patients whose social security numbers were exposed as well as provided ongoing cyber security awareness training to its staff.
In this particular case there also was a delay between the discovery of the breach and the breach notification to the Department of Health and Human Services’ Office for Civil Rights, the media, and the individual patients, which may carry risks of additional penalty for noncompliance with the Health Insurance Portability and Accountability Act which requires notice within 60 days of the discovery of a breach. more than 500 individuals are exposed. This breach remains under investigation with the agency.
Take a look at your Business Associate Agreement to make sure it contains specific breach notification requirements to assure timely notification in the event of a breach.