News of penalties for data breaches and HIPAA violations are splashed and highlighted in every media outlet covering Healthcare IT. The magnitude of these numbers is mind boggling (in millions) both in terms of the number of individuals impacted as well as the penalties enforced by the United States Department of Health and Human Services.
The HITECH Act requires that all reported data breaches of unsecured protected health information affecting 500 or more individuals is listed and made available to the public along with the cause of the breach. Here’s some impact of breaches over the past 3 years: http://www.artilient.com/medical-records-for-over-21-million-individuals-impacted-due-to-security-breaches-in-last-three-years/ . To get a list of some reported breaches which have impacted over 500 or more individuals, click here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
As part of my work at SeedHIT, we come across several use cases of providing the right tools for our enterprise clients to protect their data as part of communication, collaboration and storage. I wanted to create a list of some of the ways that healthcare data gets breached. The objective of this post is to not critique the companies which have been impacted by these breaches but rather to create awareness.
1. Theft: This kind of breach happens when data is intentionally stolen. The theft could be of data in the form of electronic physical devices or could be electronic data itself over a network or of old-fashioned paper. Of course, there are a lot of other imaginative ways to steal data and causing breaches for enterprises.
An examples of healthcare data breach by theft includes:
— Two back-up tapes belonging to New York City Health & Hospitals Corporation’s North Bronx Healthcare Network were reported to be stolen in December 2010. The tapes reportedly contained personal health information of 1,700,000 individuals
2. Loss of devices: This could be as a result of enterprises or individuals losing possession of the physical device which actually contains healthcare data on it. Lots of times, the device which contains the healthcare data belongs to the individual (BYOD) and in other cases, the device belongs to the enterprise. The devices might not necessarily be meant for personal use. They could also be enterprise-level devices such as back-up tapes.
Here are some recent examples of healthcare data breaches as a result of devices being lost:
— TRICARE Management Activity 4,901,432 Individuals Affected in September 2011 and is now facing a $4.9 billion class-action lawsuit. Occurred due to loss of back-up tapes. These tapes could have possibly contained the personal and protected health information.
— Health Net, Inc reported the loss of server drives in January 2011. These server drives contained personal information such as Social Security numbers, names and personal health information of 1,900,000 individuals.
— Miami, FL based AvMed, Inc. reported the loss of two encrypted laptops containing personal information including Social Security Numbers and health records. The loss which occurred in December 2009 supposedly impacted 1.22 Million individuals.
3. Hacking: When an unauthorized person gains access to the computer networks and devices, it can potentially result in the hacker getting their hands on sensitive patient information. Once a hacker gets hold of this sensitive information, it could potentially fall in hands of other areas of organized crimes too.
— Utah Department of Health reported that one of its servers containing information such as addresses, social security numbers and date of birth was hacked into in March 2012 and impacted 780,000 individuals.
MO HealthNet reported in June 2013 that it mailed out information of its patients to the wrong addresses. The information contained in the letter potentially included Name, date of birth and last 4 digits of SSN.
5. Loss of Paper: Lots of information is still captured on paper and left on paper and file folders. This represents several instances of breach such as the paper falling in the wrong hands or shredding not done properly or paper just lost.
In May 2007, Georgia Division of Public Health reported that 140,000 paper records containing SSN’s and medical histories were impacted as those records were “discarded” without shredding.
6. Unauthorized access/ Disclosures/ Internal theft: This happens as a result of employees getting curious about certain patient’s medical history. This patient could be a celebrity or even a family member or friend. This unauthorized access could also have been made for personal financial gain.
— In June 2013, Los Angeles based Cedars-Sinai Medical Center reported the unauthorized access of TV personality Kim Kardashian: http://www.latimes.com/news/local/la-me-hospital-security-breach-20130713,0,7850635.story
— Office of the Medicaid Inspector General reported that in October 2012 an internal employee had emailed himself over 17,000 Medicaid patient records. These records potentially included information such as patient names, date of birth and social security numbers.
7. Malware: This is a software or program which is designed to get access to the sensitive data in your computers when it is able to infect that computer successfully. When such a program gets access to the company’s private computer systems, it is then able to create data breaches. This method of data breach is gaining a lot of popularity recently.
La Grange, TX based St. Mark’s Medical Center reported that an employee’s computer containing patient information such as names, date of birth and social security numbers was infected by a malware in 2012. Almost 2,900 records were stored on that computer.
8. IT issues: This could be as a result of issues within configuration of internal IT or as a result of not addressing key security aspects within the organization and also enforcing it with third-party vendors.
— Nashville, TN based Cogent Healthcare reported that the firewall of one of its vendor’s website was down. This resulted in Google’s spiders including almost 32,000 patient records in its index in May 2013.
9. Lack of encryption: Any sensitive data should usually have been encrypted in order to prevent unauthorized access. This also means hardware such as laptops should have encrypted hard drives. Data breaches also happen when devices fall in the wrong hands and there is no encryption on them.
–. Chattanooga, TN based Blue Cross Blue Shield of Tennessee reported the theft of several unencrypted computer hard drives. Occurring in October 2009, the theft impacted over 1 Million individuals.
10. Lack of internal IT policy and / or its enforcement: This happens when employees do not follow the laid out policy of the enterprise. This might happen due to lack of internal company education on policies. An example of an internal IT policy is that patient data should not be stored on hard drives of laptops.
— SynerMed reported that in April 2013, an employee’s laptop containing member information of Inland Valleys IPA such as names and date of birth was stolen from his automobile. This breach impacted over 1,500 individuals.
BONUS (10 + 1):
— Texas Health Harris Methodist Hospital Fort Worth reported in May 2013 that a portion of the microfiche which was supposed to be destroyed by its vendor, Shred-it, was found in a park. The microfiche could included information such as patient names, addresses, dates of birth and Social Security numbers
What are some instances of healthcare data breaches that your organization has been part of or you have observed?