Skip to Main Navigation Skip to Main Content Skip to Footer
search play2 play3 facebook twitter linkedin2 cross instagram
ASCP
  • DASHBOARD
  • STORE
  • LOGOUT
  • STORE
  • LOGIN
Menu
  • Membership
    • Membership Overview
      • Become a Member
      • Member Testimonials
    • Member Resources
      • My Dashboard
      • Manage My Education
      • Renew My Membership
      • Member Center
      • Find a Mentorship
      • Councils & Committees
      • Volunteer Opportunities
      • Awards & Recognition
      • Member Rewards
      • Lab Week
      • ASCP News
      • ASCP Local Chapters
      • Cell Bowl
      • ASCP Online Communities
    • My Role
      • Pathologist
      • Laboratory Professional
      • Pathology Resident
      • Residency Program Director
      • Lab Sciences Program Director
      • Laboratory Science Student
      • Medical Student
    • Career Resources
      • Find a Job
      • Post a Job
      • Find a Pathology Fellowship
      • Post a Fellowship
      • Learn About Careers
      • Scholarships & Grants
  • Learning
    • Learning Overview
    • Certificate Programs
      • Lab Management University
      • University of Path Informatics
      • Leadership Institute
    • Live Events
      • ASCP Annual Meeting
      • KnowledgeLab
      • Immersion Courses
      • Pathology Update
      • Education Courses
    • Resources
      • Access My Education
      • Manage CMP
      • Manage CC
    • ASCPedia
    • Online Education
      • Online CE Packages
      • LabQ
      • Case Reports
      • Resident Question Bank (RQB)
      • MLS Online Review Course
      • Webcasts
      • Patient Safety
      • Featured Education
    • Quality Improvement & Quality Assurance
      • Continuous Quality Improvement (CQI)
      • National Pathology Quality Registry (NPQR)
      • CheckPath
      • GYN Assessment
      • Non-GYN Assessment
      • GYN Proficiency Testing
    • Books & Journals
      • Books
      • American Journal of Clinical Pathology (AJCP)
      • Lab Medicine
      • Critical Values
    • ACCME ACCREDITATION
  • Advocacy & Outreach
    • Institute For Science Technology, and Public Policy
      • ASCP Policy Efforts
      • Choosing Wisely
      • Guidelines & Resources
      • Workforce Initiatives
      • ePolicy News
    • Center For Global Health
      • Overview
      • Communicable Diseases (HIV)
      • Non-Communicable Diseases (Cancer)
      • Volunteer with CGH
    • ASCP Foundation
      • Make a Donation
      • Providing Scholarships, Grants, & Fellowships
      • Improving Global Health
      • Increasing Lab Visibility
      • ASCP General Fund
      • Ways to Donate
    • Get Involved
      • Discover Opportunities to Get Involved
      • Foster Diversity & Inclusion
      • ASCP Councils & Committees
      • Career Ambassadors
      • Pathology Ambassadors
      • Discover Mentorships
      • Apply to Volunteer
    • Laboratory Excellence
      • Leading Laboratories
      • Awards & Recognition
      • Lab Week
    • Patient Champions
  • About ASCP
    • About ASCP
      • ASCP Mission
      • Supporting Our Members
      • ASCP Foundation
      • Community Efforts
      • Work at ASCP
    • Contact Us
  • Board of Certification
    • BOC home
    • About The BOC
      • About the BOC
        • BOC Structure
          • BOC Mission
          • BOC Partners
          • Contact BOC
          • Appeals
        • News and Reports
          • Transition of MT/MLS and MP/MB
          • Newsletters
          • BOC Awards
          • Lab Hero Interviews
          • Statistics / Practice Analyses
      • What We Do
        • Our Services
          • Certs & Quals
          • CMP
          • Verify Credentials
      • Governance
        • Committees
          • Exam Committee
          • Board of Governors
        • International Governance
          • Advisory Boards
          • Collaborating Societies
      • Volunteer
        • Volunteer Opportunities
          • Exam Committees
          • International Volunteer Opportunities
          • ASCP
    • Get Credentialed
      • Certification Exam Process
        • Get Ready to Apply
          • General Information
          • Determine Category & Route
          • Compare US & International Certification
        • Gather Documentation
          • US Certification
          • International Certication
          • US Military
        • Before Exam
          • Schedule a Date
          • Study Materials
        • Exam Day
          • The Test Center
          • The Examination
        • After Exam
          • Pass The Exam
          • Fail The Exam
      • U.S. Certifications
        • Highest Volume
          • Histotechnician, HT(ASCP)
          • Medical Laboratory Scientist, MLS(ASCP)
          • Medical Laboratory Technician, MLT(ASCP)
          • Phlebotomy Technician, PBT(ASCP)
        • Technician
          • Histotechnician, HT(ASCP)
          • Medical Laboratory Assistant, MLA(ASCP)
          • Medical Laboratory Technician, MLT(ASCP)
          • Phlebotomy Technician, PBT(ASCP)
          • Donor Phlebotomy Technician, DPT(ASCP)
        • Technologist/Scientists
          • Technologist in Blood Banking, BB(ASCP)
          • Technologist in Chemistry, C(ASCP)
          • Technologist in Cytogenetics, CG(ASCP)
          • Cytologist, CT(ASCP)
          • Technologist in Hematology, H(ASCP)
          • Histotechnologist, HTL(ASCP)
          • Technologist in Microbiology, M(ASCP)
          • Technologist in Molecular Biology, MB(ASCP)
          • Medical Laboratory Scientist, MLS(ASCP)
        • Specialist
          • Specialist in Blood Banking, SBB(ASCP)
          • Specialist in Chemistry, SC(ASCP)
          • Specialist in Cytology, SCT(ASCP)
          • Specialist in Cytometry, SCYM(ASCP)
          • Specialist in Hematology, SH(ASCP)
          • Specialist in Microbiology, SM(ASCP)
          • Specialist in Molecular Biology, SMB(ASCP)
        • Additional
          • Diplomate in Laboratory Management, DLM(ASCP)
          • Pathologists’ Assistant, PA(ASCP)
          • Diplomate in Medical Laboratory Immunology, DMLI(ASCP)
      • International Certifications
        • Highest Volume
          • International Technologist in Molecular Biology, MB(ASCPi)
          • International Medical Laboratory Scientist, MLS(ASCPi)
          • International Medical Laboratory Technician, MLT(ASCPi)
          • International Phlebotomy Technician, PBT(ASCPi)
        • Technician
          • International Histotechnician, HT(ASCPi)
          • International Medical Laboratory Technician, MLT(ASCPi)
          • International Phlebotomy Technician, PBT(ASCPi)
        • Technologist/Scientists
          • International Technologist in Blood Banking, BB(ASCPi)
          • International Technologist in Molecular Biology, MB(ASCPi)
          • International Medical Laboratory Scientist, MLS(ASCPi)
          • International Technologist in Chemistry, C(ASCPi)
          • International Technologist in Cytogenetics, CG(ASCPi)
          • Científico de Laboratorio Médico Internacional, CLM(ASCPi)
          • International Cytologist, CT(ASCPi)
          • International Gynecologic Cytologist, CTgyn(ASCPi)
          • International Technologist in Hematology, H(ASCPi)
          • International Histotechnologist, HTL(ASCPi)
          • International Technologist in Microbiology, M(ASCPi)
        • Specialist
          • International Specialist in Blood Banking, SBB(ASCPi)
          • International Specialist in Chemistry, SC(ASCPi)
          • International Specialist in Cytology, SCT(ASCPi)
          • International Specialist in Cytometry, SCYM(ASCPi)
          • International Specialist in Hematology, SH(ASCPi)
          • International Specialist in Microbiology, SM(ASCPi)
          • International Specialist in Molecular Biology, SMB(ASCPi)
      • Qualifications
        • Get Ready to Apply
          • General Information
          • Determine Category and Exam Route
          • Gather Document
        • Examination
          • Take the Exam
          • Pass the Exam
          • Fail the Exam
        • Qualifications
          • Qualification in Biorepository Science, QBRS
          • Qualification in Donor Phlebotomy, QDP
          • Qualification in Apheresis, QIA
          • Qualification in Immunohistochemistry, QIHC
          • Qualification in Laboratory Safety, QLS
      • State Licensure
        • California State Licensure
          • California State Licensure Only
          • ASCP Certification & CA Licensure
          • Already ASCP Certified
        • New York State Licensure
          • New York State Licensure Only
          • ASCP Certification & NY Licensure
          • Already ASCP Certified
        • Additional Licensure States
          • Florida
          • Hawaii
          • Louisiana
          • Montana
          • Nevada
          • North Dakota
          • Tennesee
          • West Virginia
          • Puerto Rico
    • Stay Credentialed
      • Information About CMP
        • CMP Overview
          • CMP Process
          • Synchronize Multiple Credentials
        • Credential Status
          • Mandatory
          • Voluntary
          • Expired
          • Inactive
        • How to Manage Points
          • How to Earn Points
          • How to Record Points
          • Suggested CE Providers
          • When to Submit a Declaration
          • COVID Related CE Form
      • U.S. Certifications
        • Highest Volume
          • Histotechnician, HT(ASCP)
          • Medical Laboratory Scientist, MLS(ASCP)
          • Medical Laboratory Technician, MLT(ASCP)
          • Phlebotomy Technician, PBT(ASCP)
        • Technician
          • Histotechnician, HT(ASCP)
          • Medical Laboratory Assistant, MLA(ASCP)
          • Medical Laboratory Technician, MLT(ASCP)
          • Phlebotomy Technician, PBT(ASCP)
          • Apheresis Technician, AT(ASCP)
          • Donor Phlebotomy Technician, DPT(ASCP)
        • Technologist/Scientists
          • Technologist in Blood Banking, BB(ASCP)
          • Technologist in Chemistry, C(ASCP)
          • Technologist in Cytogenetics, CG(ASCP)
          • Cytologist, CT(ASCP)
          • Technologist in Hematology, H(ASCP)
          • Histotechnologist, HTL(ASCP)
          • Technologist in Microbiology, M(ASCP)
          • Technologist in Molecular Biology, MB(ASCP)
          • Medical Laboratory Scientist, MLS(ASCP)
        • Specialist
          • Specialist in Blood Banking, SBB(ASCP)
          • Specialist in Chemistry, SC(ASCP)
          • Specialist in Cytology, SCT(ASCP)
          • Specialist in Cytometry, SCYM(ASCP)
          • Specialist in Hematology, SH(ASCP)
          • Specialist in Microbiology, SM(ASCP)
          • Specialist in Molecular Biology, SMB(ASCP)
          • Hemapheresis Practioner, HP(ASCP)
          • Specialist in Laboratory Safety, SLS(ASCP)
          • Specialist in Virology, SV(ASCP)
        • Additional
          • Diplomate in Laboratory Management, DLM(ASCP)
          • Pathologists’ Assistant, PA(ASCP)
      • International Certifications
        • Highest Volume
          • International Technologist in Molecular Biology, MB(ASCPi)
          • International Medical Laboratory Scientist, MLS(ASCPi)
          • International Medical Laboratory Technician, MLT(ASCPi)
          • International Phlebotomy Technician, PBT(ASCPi)
        • Technician
          • International Histotechnician, HT(ASCPi)
          • International Medical Laboratory Technician, MLT(ASCPi)
          • International Phlebotomy Technician, PBT(ASCPi)
        • Technologist/Scientists
          • International Technologist in Blood Banking, BB(ASCPi)
          • International Technologist in Chemistry, C(ASCPi)
          • International Technologist in Cytogenetics, CG(ASCPi)
          • Científico de Laboratorio Médico Internacional, CLM(ASCPi)
          • International Cytologist, CT(ASCPi)
          • International Gynecologic Cytologist, CTgyn(ASCPi)
          • International Technologist in Hematology, H(ASCPi)
          • International Histotechnologist, HTL(ASCPi)
          • International Technologist in Microbiology, M(ASCPi)
          • International Technologist in Molecular Biology, MB(ASCPi)
          • International Medical Laboratory Scientist, MLS(ASCPi)
        • Specialist
          • International Specialist in Blood Banking, SBB(ASCPi)
          • International Specialist in Chemistry, SC(ASCPi)
          • International Specialist in Cytology, SCT(ASCPi)
          • International Specialist in Cytometry, SCYM(ASCPi)
          • International Specialist in Hematology, SH(ASCPi)
          • International Specialist in Microbiology, SM(ASCPi)
          • International Specialist in Molecular Biology, SMB(ASCPi)
      • Qualifications
        • Qualifications
          • Qualification in Biorepository Science, QBRS
          • Qualification in Donor Phlebotomy, QDP
          • Qualification in Apheresis, QIA
          • Qualification in Immunohistochemistry, QIHC
          • Qualification in Lab Informatics, QLI
          • Qualification in Laboratory Safety, QLS
    • Verify Credentials
      • General Information
        • Topics
          • Citation of Credentials
          • Fraudulent Use of Credentials
          • Replacement Wall Certificates
      • How to Verify
        • Options for Verifying Credentials
          • Getting Started
          • For Certification/Qualification
          • For State Licensure
          • For Visa Screen
          • Place an Order
    • Program Directors
      • Program Director Resources
        • Resources
          • BOC Resources
          • Accreditation Agencies
      • Manage Your Students
        • Tools & Reports
          • Tools for Students
          • EEV
          • PPR
      • Certification Information
        • Exams Offered
          • Certification Exams
          • HT/HTL
          • Military Certifications
          • Phlebotomy Programs
  • News
  • News
  • News Archive
  • Groups
  • Jobs
  • ASCP
  • News Archive
  • News Detail

Compliance Perspectives: State Enforcement Raises Liability Risks of Data Breaches

Publication Date: Aug 12, 2019

Compliance Perspectives: State Enforcement Raises Liability Risks of Data Breaches

Memo to lab managers and compliance officers: It may be time to rethink your data breach response strategy. This directive is the result not of any substantive changes to the HIPAA rules but rather to how they are likely to be enforced from now on. The punchline: Messing up your HIPAA breach response and reporting may get you into trouble with not just the federal Office of Civil Rights (OCR) but also the Attorneys General (AGs) of every state of patients harmed by the breach. Here’s a look at this new compliance hazard and the nine safeguards you need to manage it.  

New Data Breach Case Signals New Approach to Breach Enforcement

The concern over state enforcement comes from a groundbreaking new case involving a medical software provider named Medical Informatics Engineering (MIE). The company licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers allowing patients to access and manage their health information. The troubles began when MIE installed two generic accounts, one having a shared password of “tester” and the other having a shared password of “testing.” Neither included a unique user identification name. These accounts were flagged as “high risk” by a formal penetration test conducted in January 2015. But MIE decided not to eliminate them because it didn’t want to deny a client request for the capacity to login without using unique usernames and passwords.

Later that year, hackers used the generic accounts to launch an SQL (structured query language) injection attack and insert malware on MIE’s system, compromising the electronic protected health information (ePHI) of approximately 3.5 million individuals.

First the Feds, then the States Go After MIE

The OCR cited MIE for HIPAA violations resulting in a $100,000 settlement. Although it’s not unusual for states to file separate privacy law charges on behalf of state residents harmed by the breach, there had never been a multistate HIPAA data breach lawsuit before. So, it was pretty eye-opening when AGs from no fewer than 16 different states (including Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia and Wisconsin) banded together to go after MIE in Indiana federal court.

In addition to wielding their statutory authority to enforce the federal HIPAA laws, the AGs brought claims under their own respective state data breach and personal information protection statutes contending, among other things, that that hackers had exploited MIE’s poor password protection policies and that MIE failed to follow its own security management protocols. Result: MIE was accused of 38 separate counts of state law violations stemming from the same breach. Outnumbered and out-resourced, MIE agreed to pay $900,000 to settle all the charges. It also agreed to implement an onerous corrective action plan.

Potential Impact on Your Lab

As if HIPAA and data security breaches weren’t already damaging enough, the potential for multistate enforcement stemming from a single breach ups the ante exponentially. Labs are especially vulnerable given:

  • Their reliance on web-based applications for ePHI management that hackers love to target; and
  • The fact that they manage ePHI of residents from multiple states.

The concern, of course, is that if a data breach occurs at your lab, you could be subject to the same 1-2 punch of the OCR followed by state AGs administered to MIE. The greater the size of your ePHI management network and the more states it spans, the greater your liability risks.  

9 Things to Do to Protect Your Lab

The key to managing liability risks is to dedicate proper resources and energy to ePHI protections and data response mechanisms and ensure that any and all of your lab business associates that handle that information do likewise. That means ensuring you understand and comply with not only the HIPAA Security Rule but also state privacy, deceptive trade practices and other laws regulating the collection, maintenance and safeguarding of consumers’ ePHI.

Exactly what do you need to do to stay out of trouble with the state AGs? Perhaps the best way to answer that question is to implement at least the 10 measures MIE had to agree to under the consent judgment:  

  1. Implement and maintain an information security program that includes a security incident and event monitoring solution enabling quick detection and response to cyber-attacks;
  2. Deploy data loss prevention technology to prevent unauthorized exfiltration of data;
  3. Implement controls to prevent SQL injection attacks;
  4. Maintain and regularly review activity logs;
  5. Ensure password policies require the use of strong, complex passwords and multi-factor authentication as well as single sign-on for all systems that store or are used to access ePHI;
  6. Implement additional controls covering the creation of accounts that have access to ePHI;
  7. Refrain from using generic accounts that can be accessed via the internet;
  8. Ensure that no generic accounts are allowed to have administrative privileges; and
  9. Provide appropriate training to all employees regarding your lab’s information security policies and procedures at least annually.

**************

This article originally appeared in G2 Intelligence, Lab Compliance Advisor, August 2019

Footer
  • Membership
    • Membership Overview
    • Member Resources
    • My Role
    • Career Resources
  • Learning
    • Online Education
    • Certificate Programs
    • Quality Improvement & Quality Assurance
    • Live Events
    • Books & Journals
    • Resources
    • ASCPedia
    • ACCME Accreditation
    • Featured Education
  • Advocacy & Outreach
    • Institute for Science, Technology, and Public Policy
    • Center for Global Health
    • ASCP Foundation
    • Patient Champions
    • Get Involved
  • About ASCP
    • Contact Us
    • Chat with Us
  • Board Of Certification
    • Get Credentialed
    • Stay Credentialed
    • Verify Credentials
    • Program Directors
    • About the BOC
  • News
    • ePolicy News
Chicago (Headquarters)
33 West Monroe Street, Suite 1600, Chicago, IL 60603

Privacy Policy 

Terms of Use

Follow Us

Copyright ©2021  by American Society for Clinical Pathology. All Rights Reserved.

Live Chat

First Name*
Last Name*
Email*
Customer ID