Healthcare Security News

Statistics on HHS published breaches affecting 500 or more individuals per HITECH requirements, more than 1 million affected individuals

Waynerino — Tue, 23 Feb 2010 13:19:53 +0000

HHS publishing healthcare breaches

From September 2009 through January 2010 there were 36 breaches affecting an estimated 1,073,657 individuals reported to the HHS. Here are some statistics:

Where were the breaches?

28% in California
11% in Michigan
11% in Texas
8% in DC
8% in Illinois
33% in 10 other states

How many individuals were estimated to be affected?

47% in Tennesee (506,400)
33% in Florida (349,000)
8% in New York (83,000)
4% in California (48,283)
7% in other states (76,974)

What were the types of breaches?

Theft was involved with 74% of the breaches making up 90% of the number of individuals affected
Unauthorized access was involved with 20% of the breaches making up 4% of the individuals
The other types (Loss, Mailing, Hacking/IT Incident, Misdirected Email, Phishing) were involved with 19% of the breaches making up 9% of the individuals

Where was the information stored?

Laptops were involved with 22% of the breaches affecting 36% of the individuals
Desktop computers were involved with 17% of the breaches affecting 3% of the individuals
Portable electronic devices were involved with 8% of the breaches affected 3% of the individuals
Hard drives were involved with 1% of the breaches affected 47% of the individuals
Post cards were involved with 1% of the breaches affected 8% of the individuals
Other locations were: mailings, backup tapes, CD's, Electronic Medical Record systems, Paper Records, Films, Network Servers and Email.

Great article in Network Computing about HITECH and HIPAA’s influence on healthcare organizations

Waynerino — Thu, 18 Feb 2010 17:46:44 +0000

"...The flurry of activity around security in the health care industry is largely a product of the HITECH (Health Information Technology for Economic and Clinical Health) Act, passed as part of the Obama administration's stimulus package passed a year ago. The act takes a carrot-and-stick approach to spur the conversion of all patient information to electronic health records. The federal government is offering $19.2 billion in incentives to organizations that meet its requirements, starting in 2011. On the other hand, the act provides penalties for non-compliance starting in 2015 and stiffer penalties for violating HIPAA, which has been largely unenforced.

The message to health care organizations struggling to protect patient information and other sensitive data under the HITECH Act, HIPAA and other compliance mandates is no different from the one enterprises across every vertical are hearing: Implement a risk-and standards-based approach across the organization and you're likely to succeed. Focus on technology and operations, and you'll certainly fail. "Make sure you've done good job of organizing around security throughout the organization," said Brian Cline, director of information security at Catholic Health East. "Adopt a governance model to have successful security, otherwise security will just be an IT problem...."

UTMB cleaning up privacy breach

Waynerino — Wed, 17 Feb 2010 01:00:35 +0000

About 1,200 patients of The University of Texas Medical Branch at Galveston had their privacy violated by an employee of a company hired by UTMB to assist with billing from third-party payers.

Alpharetta, Ga.-based MedAssets Inc. (NASDAQ: MDAS) employed the individual who accessed the information between July and October of 2009. On Dec. 15, law enforcement officials notified MedAssets that a former employee had been arrested and charged with identity theft.

Social security numbers on mailing from CA Dept of Health Care

Waynerino — Thu, 11 Feb 2010 14:17:44 +0000

"...A labeling blunder has exposed the private data of nearly 50,000 of California's most vulnerable healthcare recipients. Their Social Security numbers were printed on address labels used in a mass mailing, state officials said.

The California Department of Health Care Services notified its beneficiaries of the security breach within several days of the Feb. 1 mailing. Many of the those affected are blind, have Alzheimer's disease, or suffer some other cognitive disabilities, the Los Angeles Times reported....

....The DHCS was notified of the mistake Feb. 4 and started sending notification letters to beneficiaries two days later. The agency advised beneficiaries to contact credit reporting agencies and place fraud alerts on the opening of any new accounts...."

Proposed HIPAA harm threshold may provide balance

Waynerino — Wed, 10 Feb 2010 12:55:13 +0000

...The provision published August 24th in the Federal Register gives covered entities to prevent unnecessary breach notifications....
..."If you flood your patients with huge concerns, you're going to open up a floodgate of problems in your organization where you really may not have had a risk to start with," ...
...HHS says in the interim final rule that many commenters on its draft guidance in April suggested that HHS add a "harm threshold such that an unauthorized use or disclosure of [PHI] is considered a breach only if the use or disclosure poses some harm to the individual."...

In whose hands did the PHI land?
Can the information disclosed cause "significant risk of financial, reputational, or other harm to the individual"?
Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer's data was not accessed?

Conficker infects servers at Leeds NHS

Waynerino — Tue, 09 Feb 2010 12:20:56 +0000

Likely infection route was a laptop or USB stick... "...A spokesperson for NHS Leeds said, “We can confirm that some of our servers have been affected by the Conficker virus. We’re currently disinfecting the infected servers in the system and expect this process to be complete by the end of the week..." "...Over recent weeks, UK public sector IT systems, particularly in hospitals, have been struck down by secondary infections. The outbreak in Leeds comes a little over a fortnight after the malware infected systems over the Pennines at Mid Cheshire NHS Trust. Conficker infected 85 PCs (or 3 per cent) of machines across the trust's network...."

Two weeks to “HIPAA v2″ rules

Waynerino — Fri, 05 Feb 2010 19:34:52 +0000

"HIPAA v2" goes into effect in about weeks due to the HITECH Act.

Feb 17: Business Associates must comply with HIPAA Security
Feb 18: New restrictions on healthcare providers honoring patient requests to restrict disclosure of PHI to health plans
Feb 22: Enforcement of the breach notification rule begins

Memorial Hermann worker gets 5 year term for stealing patient identities and bank fraud

Waynerino — Thu, 04 Feb 2010 12:50:07 +0000

Worker stole copies of patient medical records which she used to get credit cards. "...In one instance in March 2009, Brown improperly accessed information on a patient who died at the hospital and used the patient’s information to apply for a Target credit card. This case was investigated by the United States Secret Service and was prosecuted by Assistant United States Attorney Jay Hileman...."

Data on 4,000+ patients on stolen laptop

Waynerino — Wed, 03 Feb 2010 17:36:30 +0000

Laptop stolen from UCSF containing files with information on 4,400 patients
Patients are being alerted that their information is vulnerable to access

"...Information “potentially exposed” included name, medical record number, age and clinical information, but the stolen laptop did not contain any Social Security numbers or other financial data, officials said. “Although there is no indication that unauthorized access to the files or the laptop actually took place,” UCSF said, both UCSF and another affected medical center began sending out notifications to patients this month....

...Officials said late Wednesay that it took some time to determine what information was on the missing laptop, and then to find addresses for affected patients. "UCSF then promptly began notifying patients, a process that requires a precise and meticulous set of steps, determining, for example, the status of patients -- whether they are living or deceased, whether they are minors requiring parental notification, whether they have new addresses. This process has been carried out in coordination with the UCPD investigation and recovery efforts," officials said in an emailed statement...."

Surgery status updates to family via Twitter

Waynerino — Wed, 03 Feb 2010 13:09:54 +0000

Interesting use of technology, but scary from a HIPAA privacy perspective. Also feels a little creepy to me. The patient is only identified as "Patient of Dr. So and so". "...Fawcett Memorial Hospital will begin using social networking website Twitter to give family members updates on patients in surgery. It's a unique way the family can stay informed through the whole process. "We're able to be inside the surgical room while a patient is having surgery, tweeting out updates," said Michelle Ritter, Director of Marketing for Fawcett Memorial Hospital...."