Why a Furniture Maker Had to Report a Health Data BreachMany Employers Have Health Data That Must Be Protected Under HIPAA
Sometimes, even a furniture manufacturer must report a health data breach to comply with the HIPAA Breach Notification Rule.
See Also: HIPAA Audits: A Revised Game Plan
Asheboro, N.C.-based Klaussner Furniture Industries says that in February it discovered a data security incident that exposed certain health data of current and former employees, as well as some of their dependents.
The incident is listed on the Department of Health and Human Services' HIPAA Breach Reporting Tool website as a "hacking/IT incident" affecting about 9,300 individuals and involving a network server. It's listed on the so-called "wall of shame" as being reported by "Klaussner Furniture Industries, Inc. Employee Benefits Plan through its sponsor, Klaussner Furniture Industries, Inc."
HIPAA Compliance Issues
"One of the biggest challenges for employers is realizing whether they have any plan member data that is subject to HIPAA," says privacy attorney Adam Greene of the law firm David Wright Tremaine. "They may have a third-party administrator and believe that all of the data resides with the administrator, when that is not the case."
When an employer discovers employee information has been breached, Greene says, it should carefully review whether it is involved in administering its group health plan and determine whether any employee data related to plan administration was exposed. "If yes, then it may be time for a crash course on the HIPAA Breach Notification Rule," he says.
"While employers are not considered covered entities, the group health plans sponsored by employers are HIPAA covered entities and do have obligations to comply with the HIPAA standards."
—David Holtzman, CynergisTek
The "wall of shame" website, which lists major health data breaches impacting 500 or more individuals, lists several breaches reported by employers outside of the healthcare sector.
For instance, the federal tally shows that in September 2018, "Toyota Industries North America, Inc. as plan sponsor to the Toyota Industries North America, Inc. Welfare Benefit Plan," reported to HHS a hacking/IT incident involving email that impacted 19,000 individuals.
In a statement last September, Toyota said the incident potentially impacted the security of certain personal information and PHI.
Steps to Take
Employers with self-insured group health plans will typically handle information that is protected by the HIPAA privacy and security rules, notes privacy attorney David Holtzman of security consultancy CynergisTek.
"While employers are not considered covered entities, the group health plans sponsored by employers are HIPAA covered entities and do have obligations to comply with the HIPAA standards," he says.
"The bottom line is that any organization that sponsors a self-funded, self-insured benefit plan that pays for some type of healthcare ... must have a program in place that limits access to the data of the benefits program and a risk-based information security program to protect the data," he says.
Among the basic practices these companies should put into place are:
- Establish privacy policies that outline permitted and required uses and disclosures of the information by the group health plan to the plan sponsor or employer;
- Provide employees with a notice of privacy practices that describes how health information may be used and disclosed and how the individual employee or covered dependent may access that information;
- Design and implement administrative, technical and physical safeguards to protect PHI in accordance with the HIPAA standards;
- Identify if there is any PHI from the group health plan in the employer's information systems;
- Perform a risk analysis to identify potential threats against ePHI.
Klaussner Breach Details
In its statement, Klaussner says that upon discovery of the incident, it initiated an internal investigation, retained a forensic firm and notified law enforcement of the incident.
"As part of its investigation, Klaussner recently learned that an unauthorized third party gained access to two computers on its network that contained certain personal information about a limited number of current or former employees, and some of their dependents. At this time, Klaussner is not aware of any fraud or identity theft as a result of this event," the company says.
The information stored in the affected computers varies by individual, but may include names, addresses, Social Security numbers, financial account information, dates of birth, health information, and health benefit election, Klaussen says.
The company did not describe in its statement the type of hacking incident that occurred. But it says it has taken steps to bolster its information and data security practices and procedures, "including rebuilding affected systems, installing additional security measures, and exploring additional security changes in order to help prevent this type of incident from reoccurring in the future."
Klaussner says it is offering one year of prepaid identity protection services to individuals affected by the incident.