Can a subcontractor expect to keep the job after accidentally posting protected health information of some 15,000 patients online? A Boston teaching hospital says, 'definitely not.'

 

The 496-bed Boston Medical Center in Massachusetts has fired third-party vendor MDF Transcription after hospital officials discovered the company posted health records and demographic data of 15,000 patients to the vendor's website with no password protection. 

 

[See also: Group slapped with $6.8M HIPAA fine.]

 

"As a result, the notes could have potentially been accessed by non-authorized individuals,"  BMC spokesperson Jenny Eriksen Leary wrote to Healthcare IT News. 

 

When asked how long the information had been posted publicly online, Eriksen Leary said hospital officials are not sure, but they are currently working with MDF to determine that information. The hospital has been working with MDF Transcription for 10 years.

 

This is the first reported HIPAA breach for BMC involving more than 500 patients, according to data from the Department of Health and Human Services. 

 

[See also: Healthcare security stuck in Stone Age.]

 

Between 25 percent to 27 percent of all HIPAA breaches involve a business associate, with some as high as 64 percent, according to the Office for Civil Rights, the HHS division responsible for investigating HIPAA violations. That number is poised to increase as business associates are now liable under the new HIPAA rule. 

 

Following the HIPAA final rule, which took effect back in September 2013, HIPAA-covered entities have expressed a growing mistrust over their BAs' ability to handle sensitive patient information. Some 73 percent of healthcare organizations say they are not confident or only slightly confident their third-party vendors are capable of detecting security breaches, notifying them and able to perform a proper risk assessment, according to a March security report by the Ponemon Institute. 

 

[See also: 4-year long HIPAA breach uncovered.]

 

To date,  31.3 million individuals have had their protected health information compromised in a large HIPAA breach (involving 500 people or more) since 2009, according to OCR data.