Share Button

News of penalties for data breaches and HIPAA violations are splashed and highlighted in every media outlet covering Healthcare IT. The magnitude of these numbers is mind boggling (in millions) both in terms of the number of individuals impacted as well as the penalties enforced by the United States Department of Health and Human Services.HHS-Logo

The HITECH Act requires that all reported data breaches of unsecured protected health information affecting 500 or more individuals is listed and made available to the public along with the cause of the breach. Here’s some impact of breaches over the past 3 years: http://www.artilient.com/medical-records-for-over-21-million-individuals-impacted-due-to-security-breaches-in-last-three-years/ . To get a list of some reported breaches which have impacted over 500 or more individuals, click here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

As part of my work at SeedHIT, we come across several use cases of providing the right tools for our enterprise clients to SeedHIT Logo for BCprotect their data as part of communication, collaboration and storage. I wanted to create a list of some of the ways that healthcare data gets breached. The objective of this post is to not critique the companies which have been impacted by these breaches but rather to create awareness.

Subscribe to The Blog of Nikhil Jain by Email

1. Theft: This kind of breach happens when data is intentionally stolen. The theft could be of data in the form of electronic physical devices or could be electronic data itself over a network or of old-fashioned paper. Of course, there are a lot of other imaginative ways to steal data and causing breaches for enterprises.

An examples of healthcare data breach by theft includes:

— Two back-up tapes belonging to New York City Health & Hospitals Corporation’s North Bronx Healthcare Network were reported to be stolen in December 2010. The tapes reportedly contained personal health information of 1,700,000 individuals

2. Loss of devices: This could be as a result of enterprises or individuals losing possession of the physical device which actually contains healthcare data on it. BYOD lostLots of times, the device which contains the healthcare data belongs to the individual (BYOD) and in other cases, the device belongs to the enterprise. The devices might not necessarily be meant for personal use. They could also be enterprise-level devices such as back-up tapes.

Here are some recent examples of healthcare data breaches as a result of devices being lost:

TRICARE Management Activity 4,901,432 Individuals Affected in September 2011 and is now facing a $4.9 billion class-action lawsuit. Occurred due to loss of back-up tapes. These tapes could have possibly contained the personal and protected health information.

Health Net, Inc reported the loss of server drives in January 2011. These server drives contained personal information such as Social Security numbers, names and personal health information of 1,900,000 individuals.

— Miami, FL based AvMed, Inc. reported the loss of two encrypted laptops containing personal information including Social Security Numbers and health records. The loss which occurred in December 2009 supposedly impacted 1.22 Million individuals.

 

3. Hacking: When an unauthorized person gains access to the computer networks and devices, it can potentially result in the hacker getting their hands on sensitive patient information. Once a hacker gets hold of this sensitive information, it could potentially fall in hands of other areas of organized crimes too. Hacker

Utah Department of Health reported that one of its servers containing information such as addresses, social security numbers and date of birth was hacked into in March 2012 and impacted 780,000 individuals.

 

4. Incorrect Mailing: This happens when letters including sensitive patient data is inadvertently sent to the wrong people at the wrong addresses.USPS First Class

MO HealthNet reported in June 2013 that it mailed out information of its patients to the wrong addresses. The information contained in the letter potentially included Name, date of birth and last 4 digits of SSN.

 

5. Loss of Paper: Lots of information is still captured on paper and left on paper and file folders. This represPaper Recordsents several instances of breach such as the paper falling in the wrong hands or shredding not done properly or paper just lost.

In May 2007, Georgia Division of Public Health reported that 140,000 paper records containing SSN’s and medical histories were impacted as those records were “discarded” without shredding.

Subscribe to The Blog of Nikhil Jain by Email

6. Unauthorized access/ Disclosures/ Internal theft: This happens as a result of employees getting curious about certain patient’s medical history. This patient could be a celebrity or even a family member or friend. This unauthorized access could also have been made for personal financial gain.Internal Theft

— In June 2013, Los Angeles based Cedars-Sinai Medical Center reported the unauthorized access of TV personality Kim Kardashian: http://www.latimes.com/news/local/la-me-hospital-security-breach-20130713,0,7850635.story

Office of the Medicaid Inspector General reported that in October 2012 an internal employee had emailed himself over 17,000 Medicaid patient records. These records potentially included information such as patient names, date of birth and social security numbers.

 

7. Malware: This is a software or program which is designed to get access to the sensitive data in your computers when it is able to infect that computer successfully. When such a program gets access to the company’s private computer systems, it is then able to create data breaches. This method of data breach is gaining a lot of popularity recently.

La Grange, TX based St. Mark’s Medical Center reported that an employee’s computer containing patient information such as names, date of birth and social security numbers was infected by a malware in 2012. Almost 2,900 records were stored on that computer.

8. IT issues: This could be as a result of issues within configuration of internal IT or as a result of not addressing key security aspects within the organization and also enforcing it with third-party vendors.IT

— Nashville, TN based Cogent Healthcare reported that the firewall of one of its vendor’s website was down. This resulted in Google’s spiders including almost 32,000 patient records in its index in May 2013.

 

9. Lack of encryption: Any sensitive data should usually have been encrypted in order to prevent unauthorized access. This also means hardware such as laptops should have encrypted hard drives. Data breaches also happen when devices fall in the wrong hands and there is no encryption on them.

ssl-encryption–. Chattanooga, TN based Blue Cross Blue Shield of Tennessee reported the theft of several unencrypted computer hard drives. Occurring in October 2009, the theft impacted over 1 Million individuals.

 

10. Lack of internal IT policy and / or its enforcement: This happens when employees do not follow the laid out policy of the enterprise. This might happen due to lack of internal company education on policies. An example of an internal IT policy is that patient data should not be stored on hard drives of laptops.

SynerMed reported that in April 2013, an employee’s laptop containing member information of Inland Valleys IPA such as names and date of birth was stolen from his automobile. This breach impacted over 1,500 individuals.

BONUS (10 + 1):

11. Improper Handling/ Disposal: This breach usually happens when an employee or a third party vendor does not follow proper policies and procedures regarding handling of sensitive data.Improper disposal

University of Virginia’s 18,000+ students’ Social Security Numbers were included in brochures by Aetna Health Care’s third party vendor in July 2013

 

Texas Health Harris Methodist Hospital Fort Worth reported in May 2013 that a portion of the microfiche which was supposed to be destroyed by its vendor, Shred-it, was found in a park. The microfiche could included information such as patient names, addresses, dates of birth and Social Security numbers

 

What are some instances of healthcare data breaches that your organization has been part of or you have observed?

nrj

Subscribe to The Blog of Nikhil Jain by Email

7 Comments

  1. Great overview! A must read by anyone in health care…as well as the general public.

    Reply

  2. Excellent write up and thought provoking … really great info…

    Reply

  3. This is one of the most informative articles I have read about healthcare data breaches. I am glad google sent me here. Working in a big healthcare enterprise, I have not been aware of so many different ways our data could have been compromised. I suppose that my IT team will be more diligent after reading this and our employees will need to be extra careful too. Thanks so much for putting this together.

    Reply

    • I Believe this is most alarming issue, world would going to be face in upcoming year. Data Security is even a big problem for the governments, so the Big IT giant should look after this issue that would be blue for them.

      Reply

  4. This is an interesting article. I think a lot of this loss of data could be controlled better by taking stronger precautions at a level used by branches of the Government. First, use a closed system that only runs the Healthcare systems. No internet access other than direct access to information sites that can be controlled. Second, no paper. Convert all old records to pdf and house them inside the system. No printing of paperwork. Only use electronic system with signature pad and only print receipts for customers. Third, only transfer information via one single point. All records would have to be requested and forwarded by one person or group in the facility. The fewer the better.

    If all systems are dumby terminals and no one can access via wireless device (or at least not by a device that can store info), there is little concern of a device walking out with 10,000 records. I know the new systems are built to be this type of environment, but there are still better practices that can be implemented to keep info in a tight loop.

    The greater concern would be hacking as a data farm would be a treasure trove if the walls were breached. As technology advances, we have to remember it advances for everyone. Bad guys have same access. Combine that with a desire, and there will continue to be issues with information security.

    Anyway, probably didnt need to provide you with my critique, but did like the article. Eye opening at a minimum.

    Reply

  5. Great Article for healthcare and also for system security! It should be shared among friends for better knowledge distribution and for a case study

    Reply

  6. Great way to explain, shows the most the the time it is not someone hacking into a system. Policies and procedure can solve most PHI lose.
    Jeff Brandt

    Reply

Leave a Reply