Harvard Computer Society Email Privacy Breach

The Harvard Computer Society “HCS”, the student technology club that provides free computing services to the Harvard community, recently discovered a long running breach of student and faculty email data. One of the primary functions of HCS is to act as the administrators of mailing list. In January 2011, HCS boasted that it hosted 5,000 email lists, and 1,700 student-group and user email/web accounts. HCS discovered that email lists that were assumed to be private, were open to the public until Monday, February 20, 2017.

Reporting by The Harvard Crimson indicate that almost 1.5 million emails, some containing students’ grades, discussion about grades, and financial information were open current students, alumni, and persons with Harvard email accounts. If true, the disclosure of student grades could be a violation of Family Educational Rights and Privacy Act (FERPA).

It appears that no one ever examined the administration of access to email lists, and access rights because – this is Harvard. Everyone assumed that anyone who configured email mailing lists, would do it correctly, because – this is Harvard.

The longstanding nature of breach suggests that HCS was exempted from IT Security Audits. According to Harvard Risk Management & Audit Services, an information system audit would consist of an examination and testing of End user identity management and Access controls. If an audit was done, list administration would be low hanging fruit.

In February 2014, a former HCS member wrote an article about the history of HCS. The writer noted the following “I dug through the archives and read all 1341 emails sent over the past 13 years, from 2000 to 2013. Here’s a few of the more interesting emails I found. (I’ve replaced some email addresses and phone numbers with asterisks for privacy’s sake.)” While the messages captured in the blog appeared to be group messages, it nonetheless provides a reference point to the potential size of the breach.

The HCS Email Privacy Breach may be a violation of FERPA. Under FERPA, a school may not disclose a student’s grades to another student, without the prior written consent of the parent or eligible student. FERPA encourages institutions to self-report breaches to the U.S. Department of Education Family Policy Compliance Office. It’s too early to tell what Harvard will do.

Not yet Hip to HIPAA? You will pay millions.

It has been 21 years since the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law. HIPAA was designed to improve the portability and accountability of health insurance coverage. In effect, the law secures and protects Personal Health Information “PHI” and enforces standards for electronic transactions in healthcare. Although the law is about Information Protection, interestingly, the “I” and “P” in the acronym are about Insurance Portability.

Since the effectiveness period, 2003-2005, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has settled 41 cases for $48.9 million.

HIPAA has three primary rules: The Privacy Rule (81 requirements); The Security Rule (78 requirements); and The Breach Notification Rules (10 requirements). Understanding the 169-criteria/requirements will be helpful in navigating the OCR periodic audits, or an investigation.

HIPAA Privacy Rule

The HIPAA Privacy Rule covers national standards on the protection, access, and disclosure authorization related to PHI. It governs when and how PHI is disclosed. As noted above, the HIPAA Privacy Rule gives patients ownership of their health records, as well as the right to access and copy them and request corrections to their health records.

HIPAA Security Rule

The HIPAA Security Rule establishes national standards to protect electronic PHI, or ePHI. The Security Rule generally prescribes the technology security standards for the creation, receipt, use, and maintenance of ePHI by a Covered Entity. Under the regulation, a Covered Entity can be an individual, organization, or agency that acts as a Health Care Provider, A Health Plan (payer), or A Health Care Clearinghouse (process claims).

If a Covered Entity uses a third party to access, transmit, process, or store ePHI, the third party is considered a Business Associate because it helps the Covered Entity to carry out its health care activities and functions. A Business Associate cannot skirt regulatory obligations by subcontracting. The Covered Entity requirements apply to entities that provide services to business associates.

HIPAA Breach Notification Rule

The final primary rule is the Breach Notification Rule. The HIPAA Breach Notification Rule requires Covered Entities to provide notification following a breach of unsecured ePHI.

So what about the price that will be paid if a Covered Entity does not comply with HIPAA? Let’s look at a recent case

Data Breach Today recently reported that Children’s Medical Center of Dallas “CMC Dallas” received a $3.2 million civil fine from the HHS OCR “based on its impermissible disclosure of unsecured electronic protected health information and non-compliance over many years with multiple standards of the HIPAA Security Rule.” In February 2014, CMC Dallas received kudos for being “the first hospitals in the U.S. to implement true, untethered export of patient health data to a Personal Health Record (PHR)”. In 2007 and 2008 CMC Dallas was put on notice through various self-assessments, and reports and had actual knowledge that it maintained ePHI in an unencrypted manner.

Subsequently CMC Dallas filed a breach report with OCR on Jan. 18, 2010, citing the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on Nov. 19, 2009. The device contained the ePHI of approximately 3,800 individuals.  However, CMC Dallas did not implement encryption on all devices through April 9, 2013. On July 5, 2013, the CMC Dallas filed another breach report with OCR after an unencrypted laptop containing the ePHI of 2,462 individuals went missing in April 2013. Additionally, OCR found that CMC Dallas “did not implement sufficient policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within the facility”. Based on CMC Dallas prior history of non-compliance with the Privacy and Security Rules, the OCR imposed the above referenced fines.

The following compliance mitigation strategy could be used to prevent similar sanctions.

  • Update Policies and Procedures. Covered Entities should review and revise HIPAA related policies and procedures with a focus toward clearly outlining an escalation process and defining compliance roles and responsibilities. Based on the facts, CMC Dallas did not appear to have a path in its polices and procedures to escalate and resolve breaches. To avoid inaction like the one identified in CMC Dallas, Covered Entities should ensure that policies and procedures define roles and responsibilities. Policies and Procedures should be reviewed as often as necessary, but at least annually.
  • Training. Provide up-to-date HIPAA training to employees. The training must address HIPAA, privacy, and/or security awareness training.

What does the future hold for HIPAA? Accordingly to David Holtzman, a fomer senior adviser at the Department of Health and Human Services’ Office for Civil Rights, “Look for 2017 to be a year when OCR continues to exercise its HIPAA enforcement muscle – just not at the record pace seen in 2016.” If HHS OCR doesn’t get to you, great! If it does, make sure you are prepared, or you will be fined.