For years – even before the mainstream media caught on to the epidemic – PHIprivacy.net had been reporting cases of insider data theft for tax refund fraud schemes and calling special attention to Florida. By now, everyone seems to acknowledge that Florida is a hotbed of such crime.
Yet despite this growing recognition of an ongoing and serious problem, HHS does not appear to have taken any strong enforcement action over any covered entity for failing to protect PHI or ePHI from the insider threat.
On its site, HHS notes:
With regard to the subset of complaints specifically pertaining to the Security Rule, since OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 901 complaints alleging a violation of the Security Rule. During this period, we closed 658 complaints after investigation and appropriate corrective action. As of June 30, 2014, OCR had 308 open complaints and compliance reviews.
Are any of the open complaints insider data theft cases for tax refund fraud, because I can find not one case on the public breach tool that has resulted in any monetary penalty or corrective action plan when tax refund fraud was the consequence of insider data theft. Did I miss something? If I’ve forgotten or overlooked some case, please let me know. HHS has not (yet) responded to an inquiry sent yesterday asking them to confirm or deny their lack of enforcement action in any case involving tax refund fraud.
And for those keeping track: I am not aware of any cases where the FTC has prosecuted a HIPAA-covered entity over data security failures that resulted in tax refund fraud, either, even though that’s clearly harm to consumers. So we could ask the same question of them: why hasn’t the FTC taken any strong action? If I’ve forgotten or overlooked some enforcement action by FTC for insider data theft in the healthcare sector used to support tax refund fraud schemes, please correct me.
Insider data theft is a serious problem with serious consequences to patients. Isn’t it about time OCR and/or FTC sent a strong message to covered entities that failure to prevent and/or detect insider data theft will lead to hefty penalties? Actually, isn’t it long past the time that they should have started doing this?
None of the above should be construed to discourage DOJ and IRS from pursuing criminal prosecutions of rogue employees. I just think that when we have two federal agencies regulating and enforcing data security – HHS and FTC – and yet neither agency seems to pursue cases against the entities for failing to prevent or detect serious data theft, those agencies are failing to use the authority they have, to the detriment of patients and consumers.