SMB Adoption of Secure Messaging in Healthcare Part 2: Painful Penalties


If you missed the first part of our blog series on secure messaging for SMBs in healthcare, you can read it here. Today’s post explores the financial penalties a small medical practice faced following a security breach.

In December 2013, APDerm, a six-office dermatology practice, agreed to pay $150,000 to settle claims that it violated federal privacy rules following the theft of an unencrypted thumb drive from a staff member’s vehicle. The drive containing the protected health information (PHI) of approximately 2,200 individuals was never recovered. The case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

The stark lesson from this story is that SMB medical and dental practices have to enact proactive efforts to secure protected health information properly, or face serious penalties. Not only did it cost APDerm $150,000 in fines, it likely cost a heavy toll in legal fees, employee hours and negative brand impact during the two years it took to reach a settlement following the incident.

OCR Director Leon Rodriguez said about the settlement, “As we say in health care, an ounce of prevention is worth a pound of cure. That is what a good risk management process is all about–identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”

The other key lesson to be learned from APDerm’s incident is that there is no reason to ever use thumb drives. Secure messaging with large file functionality eliminates the need to ever use risky methods such as thumb drives, consumer file sharing solutions, or courier services for confidential information. In the third post of this series, we’ll explore how secure messaging has evolved to become much more affordable and easier to deploy for SMBs in healthcare.