2019-10-18 at 10:49 am #14923SaranathKeymaster
Please read your friend’s report and provide comments on “Are there any other preventive measures to avoid the attack?”.
3 Massachusetts hospitals fined nearly $1 million by OCR for HIPAA violations
Provide a brief description of the story.
This case study is about 3 hospitals in Boston which were Boston Medical Center, Brigham and
Women’s Hospital and Massachusetts General Hospital permitted the TV Company (ABC news) to film
a medical documentary program “ABC documentary”. The problem is, the hospitals let the team to
filming in the private area of hospitals and some part of VDO expose to the patient’s personal health
information (PHI). From further investigation, they found that the hospital impermissibly discloses the
PHI of patients to ABC employees during the production and filming of the television program at the
In the related news, it mentioned that all 3 hospitals denied the disclosure of PHI without
permitted they obtained the proper consent. However, the Office for Civil Rights (OCR) differed in its
findings. Finally, all 3 hospitals were fined in a total of 999,000 USD in this case; after that, each
hospital develops policies and procedures around photography, VDO, and audio recording, also
implement staff training as part of individual corrective action plans.
2. What is/are the impact of this data breach? Consequences of the data breach.
The leakage of PHI to other unauthorized people, such as documentary film employees and/or on
the film to the public, makes a huge impact. The PHI contains the confidential data of patients such as
ID number, address, telephone number and also medical data such as history of allergy, their diseases,
and health status. The disclosure of PHI causes effects on both the patient side and the hospital side.
On patient’s side, it effects on psychological and physical harm to patients in many ways such as the
bully on their illness, the employment status due to their illness, the poisoning with their allergic
drugs, physical attack (from personal address leakage) and also include the financial loss (from
identification data leakage). On the hospital side, they loss their reputation and trust in keeping the
privacy of personal data.
3. How did the data breach occur?
The data breach occurs because the film company requests to filming in the hospital. The hospital
tried hard to implement various protections regarding patient privacy. Including obtained consents
form patients. But not all of the patients included in the film had authorized before filming. At that
point they fail to keep the HIPAA privacy rules which state that the health care providers may not
allow members of media into treatment area facilities or other areas where PHI accessible in written,
electronic, oral or other visual or audio form without prior authorization from the patient in that area
or whose PHI will be accessible to media. The mask identities of patients by media personnel is not
4. What should be the main cause of the data breach? Provide a brief explanation of the cause
of data breach, such as phishing, ransomware, HIPAA violation, database misconfiguration,
human error, third-party vendor error)?
The main cause of the data breach is HIPAA violation, as I mentioned before. The hospital
reviewed and assessed patient privacy issues related to the filming and implemented various
protections regarding patient privacy, including providing the ABC film crew with the same HIPAA
privacy training received by the hospital’s workforce. However, despite such efforts, the weak points
Based on the timing of when hospitals received some written patient authorizations, the
hospitals impermissibly disclosed the PHI of patients to ABC employees during the production
and filming of a television program at the hospital.
The policy they applied to protect patient’s PHI from disclosure during the filming project is
5. How could you prevent this data breach attack?
In my opinion, the best prevention for this type of data breach attack is to immerse a privacy
culture into health care personal and also update the organization policy and regulations about
privacy safeguards especially for filming the VDO in the hospital. Not only the VDO is not directly
disclosing the identity of patients but also the patient and patient health information which will be
accessible during film or media should have consent before the filming process takes place.
After the placement of policy and regulation, there should have an ongoing assessment and
monitoring of the process to check the vulnerable points of process and improve it.
2019-10-22 at 1:56 pm #15033ChalermphonParticipant
the placement high level of policy and regulation is very important in this situation.
2019-10-22 at 4:36 pm #15042Pyae Phyo AungParticipant
Ensure every employee know and sign the Code of Conduct of Hospital.
Make confidentiality policy, multimedia policy. Restrict who can authorize the permission for recording picture, video, sometime recording will be needed for academic purposes.
Get consent from patients. Writing consent is the best which will save from violation of regulation.
2019-10-23 at 3:17 pm #15058AmeenParticipant
I think the privacy rule is well established but the fact that HIPAA origin is to accommodate the insurance system, an economic function, as it’s the main health system in the US, making it rather go with the economical backbone, not the humane-ethical view. When the needs for new content are compressed to met humane-ethical like this case, if an organization has no strong political-ethical standpoint, they are likely to compromise. Following the privacy rule might not a solution for all (even they followed it they still fined), the organization should make a plan on information risk management on exposing their reputation into a disputable situation like this.
You must be logged in to reply to this topic. Login here