KS Healthcare Organization Fined over Unsecured Patient Data

January 25, 2018 - Topeka, Kansas-based Pearlie Mae’s Compassion and Care LLC recently agreed to pay an $8,750 civil penalty after allegations that it had unsecured patient data in one of its office locations.

Defendants Ann Marie Kaiser and Jenell Jones are owners of Pearlie Mae’s, which provides care for disabled consumers. Kansas Attorney General Derek Schmidt explained in a statement that there was a failure to keep sensitive patient and employee information secured.

The consent judgement states that the defendants were found to have committed the following violations of the Kansas Consumer Protection Act:

Kansas Attorney General’s office special agents were executing a search warrant at Kaiser’s home in June 2017, the Attorney General’s Office statement read. The home was used as an office for the healthcare organization.

“The records were found in open view, unsecured and accessible to anyone in the residence, including persons who had no legitimate business reason to access the personal information in the records,” explained the statement. “A lawsuit filed by Schmidt in June alleged the defendants failed to implement and maintain reasonable procedures and practices to protect personal information and by failing to take reasonable steps to destroy or arrange for the secure destruction of records containing personal information when the records no longer are to be used.”

• Failed to implement and maintain reasonable procedures and practices appropriate to the nature of the personal information possessed, or caused to be possessed by Defendants
• Failed to exercise reasonable care to protect the personal information possessed or caused to be possessed by Defendants from unauthorized access, use, modification or disclosure
• Failed to take reasonable steps to destroy or arrange for the destruction of any records within Defendants' custody or control containing any person's personal information when Defendants no longer intended to maintain or possess such records.

Per the consent agreement, the Defendants must “subscribe to and enable password management software to protect the electronic records containing personal information of others.” All records containing personal information will need to be kept at the office of Pearlie Mae's “except as necessary to the provision of services.”

Records will also not be allowed to be kept at either Defendant’s home unless they are in a “secure container” that only Kaiser and Jones are able to access.

“Defendants agree to be and are required to follow local, State and Federal laws and regulations applicable to the health care services which they provide and licensure, as described in paragraph H, specifically including, but not limited to HIPAA requirements and CMS Policy for Information Security and Privacy,” the consent judgement stated.

Healthcare organizations must ensure that they adhere to state data privacy and security laws, as well as federal requirements such as HIPAA. Failure to do so could lead to fines and may harm the reputation of the business.

Massachusetts reached a settlement in November 2017 following a Medicaid data breach that exposed the information of 2,600 children.

In that case, New Hampshire-based Multi-State Billing Services (MSB) agreed to pay $100,000 and improve its security practices. The NH company processed Medicaid billing information for several Massachusetts school districts.

MSB had previously reported that an unencrypted laptop was stolen. The device contained names, Social Security numbers, Medicaid identification numbers, and dates of birth in some cases.

“This settlement ensures that this company implements the necessary protections so this type of breach never happens again and sends a clear message about the importance of safeguarding the sensitive information of children and others,” Massachusetts Attorney General Maura Healey said in a statement.

The Massachusetts Attorney General’s Office statement added that MSB violated state law that requires “reasonable steps to safeguard the personal information from unauthorized access or use.”

MSB failed to develop, implement, and maintain a written and comprehensive information security program, train members of its workforce on how to reasonably safeguard personal information, or maintain a computer security system that ensured that personal information stored on laptop computers or other portable devices was encrypted,” Healey’s office explained.

MSB was also directed to properly train staff members on data privacy and security measures. Additionally, the organization agreed to develop, implement, and maintain an information security program. It will also review and update its policies and procedures for keeping data secure.