HHS publishing healthcare breaches
From September 2009 through January 2010 there were 36 breaches affecting an estimated 1,073,657 individuals reported to the HHS. Here are some statistics:
Where were the breaches?
- 28% in California
- 11% in Michigan
- 11% in Texas
- 8% in DC
- 8% in Illinois
- 33% in 10 other states
How many individuals were estimated to be affected?
- 47% in Tennesee (506,400)
- 33% in Florida (349,000)
- 8% in New York (83,000)
- 4% in California (48,283)
- 7% in other states (76,974)
What were the types of breaches?
- Theft was involved with 74% of the breaches making up 90% of the number of individuals affected
- Unauthorized access was involved with 20% of the breaches making up 4% of the individuals
- The other types (Loss, Mailing, Hacking/IT Incident, Misdirected Email, Phishing) were involved with 19% of the breaches making up 9% of the individuals
Where was the information stored?
- Laptops were involved with 22% of the breaches affecting 36% of the individuals
- Desktop computers were involved with 17% of the breaches affecting 3% of the individuals
- Portable electronic devices were involved with 8% of the breaches affected 3% of the individuals
- Hard drives were involved with 1% of the breaches affected 47% of the individuals
- Post cards were involved with 1% of the breaches affected 8% of the individuals
- Other locations were: mailings, backup tapes, CD's, Electronic Medical Record systems, Paper Records, Films, Network Servers and Email.
More details in the post.
Read more...
"...The flurry of activity around security in the health care industry is largely a product of the HITECH (Health Information Technology for Economic and Clinical Health) Act, passed as part of the Obama administration's stimulus package passed a year ago. The act takes a carrot-and-stick approach to spur the conversion of all patient information to electronic health records. The federal government is offering $19.2 billion in incentives to organizations that meet its requirements, starting in 2011. On the other hand, the act provides penalties for non-compliance starting in 2015 and stiffer penalties for violating HIPAA, which has been largely unenforced.
The message to health care organizations struggling to protect patient information and other sensitive data under the HITECH Act, HIPAA and other compliance mandates is no different from the one enterprises across every vertical are hearing: Implement a risk-and standards-based approach across the organization and you're likely to succeed. Focus on technology and operations, and you'll certainly fail. "Make sure you've done good job of organizing around security throughout the organization," said Brian Cline, director of information security at Catholic Health East. "Adopt a governance model to have successful security, otherwise security will just be an IT problem...."
Read more...
Categories:
Healthcare Tags:
HIPAA, HITECH
About 1,200 patients of The University of Texas Medical Branch at Galveston had their privacy violated by an employee of a company hired by UTMB to assist with billing from third-party payers.
Alpharetta, Ga.-based MedAssets Inc. (NASDAQ: MDAS) employed the individual who accessed the information between July and October of 2009. On Dec. 15, law enforcement officials notified MedAssets that a former employee had been arrested and charged with identity theft.
Read more...
"...A labeling blunder has exposed the private data of nearly 50,000 of California's most vulnerable healthcare recipients. Their Social Security numbers were printed on address labels used in a mass mailing, state officials said.
The California Department of Health Care Services notified its beneficiaries of the security breach within several days of the Feb. 1 mailing. Many of the those affected are blind, have Alzheimer's disease, or suffer some other cognitive disabilities, the Los Angeles Times reported....
....The DHCS was notified of the mistake Feb. 4 and started sending notification letters to beneficiaries two days later. The agency advised beneficiaries to contact credit reporting agencies and place fraud alerts on the opening of any new accounts...."
Read more...
Categories:
Healthcare Tags:
mail, SSN
...The provision published August 24th in the Federal Register gives covered entities to prevent unnecessary breach notifications....
..."If you flood your patients with huge concerns, you're going to open up a floodgate of problems in your organization where you really may not have had a risk to start with," ...
...HHS says in the interim final rule that many commenters on its draft guidance in April suggested that HHS add a "harm threshold such that an unauthorized use or disclosure of [PHI] is considered a breach only if the use or disclosure poses some harm to the individual."...
- In whose hands did the PHI land?
- Can the information disclosed cause "significant risk of financial, reputational, or other harm to the individual"?
- Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer's data was not accessed?
Read more...
Likely infection route was a laptop or USB stick...
"...A spokesperson for NHS Leeds said, “We can confirm that some of our servers have been affected by the Conficker virus. We’re currently disinfecting the infected servers in the system and expect this process to be complete by the end of the week..."
"...Over recent weeks, UK public sector IT systems, particularly in hospitals, have been struck down by secondary infections. The outbreak in Leeds comes a little over a fortnight after the malware infected systems over the Pennines at Mid Cheshire NHS Trust. Conficker infected 85 PCs (or 3 per cent) of machines across the trust's network...."
Read more...
Categories:
Healthcare Tags:
Conficker
"HIPAA v2" goes into effect in about weeks due to the HITECH Act.
- Feb 17: Business Associates must comply with HIPAA Security
- Feb 18: New restrictions on healthcare providers honoring patient requests to restrict disclosure of PHI to health plans
- Feb 22: Enforcement of the breach notification rule begins
Worker stole copies of patient medical records which she used to get credit cards.
"...In one instance in March 2009, Brown improperly accessed information on a patient who died at the hospital and used the patient’s information to apply for a Target credit card.
This case was investigated by the United States Secret Service and was prosecuted by Assistant United States Attorney Jay Hileman...."
Read more...
