Data Breach, Education, Tip of the Week

Organizations Must Address Data Breaches Before They Occur

Any organization that creates, collects, stores, processes, transmits, archives, or deletes sensitive information about an individual, must prepare for a Data Breach before it occurs. To address Data Breach response planning after the breach occurs is costly and potentially a game-ender for some companies.

Data Breaches occur all the time, the public just does not understand the breadth and impact of the problem. Just taking a quick view of the State of California Department of Justice website published by the State Attorney General at gives you an immediate feel for the size of the problem. Especially when one considers how few of the events listed here, just in 2012, have made it into the news!

All of these organizations had to comply with California’s far more strict data breach reporting and notification requirements under California State Law such as SB24. Sections of California State Law state:

California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a))

Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e)and California Civ. Code s. 1798.82(f)). If you happen to be included in this category and are required to submit a notice, you can do so here .

However, this is only California, and most states, other than Texas, do not have Data Breach reporting requirements anywhere near as stiff as these. As the public begins to hear about only small portions of the overall problem, from the news, by receiving a notification letter, from their affected family members or their neighbors, the attention paid to these events, and the real and significant penalties will only grow exponentially.

All organizations that interact with sensitive information about an individual in the ways we listed above, must:

  1. Identify the sensitive data in their possession
  2. Identify the location of that data throughout its entire lifecycle from creation or import, through to secure and permanent deletion
  3. Document the data flow, and tie access controls, auditing, and security techniques such as encryption, to every branch of that flow
  4. Review the data with Risk Management and In-house or external Counsel (See the Law.Com Blog entry below)
  5. Determine the best combination of Risk Management techniques (Eliminate, Transfer, Reduce, Accept)
  6. Develop a Data Breach Policy
  7. Develop a Data Breach Procedure (Steps and Personnel to support the Policy)
  8. Run a mock Data Breach event drill
  9. Improve your processes based upon the results of the drill
  10. Update all of the information collected in steps one through seven, above

Law.Com Blog entry:  

RISC Management assists organizations in creating and implementing Data Breach prevention, detection, investigation, response, and improvement projects.

Written by Chris Heuman Chris @

HIPAA / HITECH Enforcement, News Events

HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards

Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action plan (CAP) that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

OCR’s investigation found that the physician practice was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible.

In addition, Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic health information (ePHI).

OCR’s investigation also revealed the following issues:

  • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix Cardiac Surgery failed to identify a security official (such as a HIPAA Security Officer)
  •  Phoenix Cardiac Surgery failed to conduct a risk analysis; and
  • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

The HHS Resolution Agreement can be found at

This posting is sponsored by RISC Management & Consulting,