data security

Firm offers data breach insurance

Anne Zieger — Sun, 17 Aug 2008 08:02:29 -0400

A unit of hospital purchasing alliance Premier Inc. has begun offering insurance designed to protect members against the cost of data breaches. We're guessing that HIT leaders and their colleagues are starting to realize just how expensive a malicious data breach can be. Those numbers are extremely steep--in fact, most incidents are estimated to cost nearly $200 per record and $6.3 million per incident. To address these concerns, the Premier unit's Premier Insurance Management Services of Charlotte, N.C., is offering data privacy and network risk liability insurance to members. It's working in partnership with Media/Professional Insurance of Kansas City, MO.

The insurance covers a bundle of "soft" costs relating from the breach, including expenses, fines and penalties arising from government and regulatory investigations into how the hospitals managed personal data. It also covers crisis management, public relations and customer notification. Policyholders also get access to data security risk management and planning help, consultation, and educational assistance from law firm Sonnenschein, Nath & Roshenthal LLP.

To learn more about this insurance:
- read this Health Data Management article

Related Articles:
U.S. hospitals have security 'blind spot'
More hospital data security breaches
Johns Hopkins loses patient, employee data
IT staffer fired after data theft, sues hospital

Seattle system will pay $100K HIPAA fine after repeated breaches

Anne Zieger — Sat, 19 Jul 2008 22:56:35 -0400

A Seattle-based health system has agreed to pay a $100,000 HIPAA fine to HHS--as well as improve its medical data security--after failing to properly secure data backup tapes, disks and laptops. This marks the first time HHS has agreed to a Resolution Agreement. During 2005 and 2006, medical data was stolen from Providence Health & Services several times, with backup tapes, optical disks and laptops being lost or stolen repeatedly. All told, the unencrypted personal health information of more than 386,000 patients was compromised.

In light of these incidents, the health system will now revise its policy on transporting patient records outside of company buildings, and it will improve employee training. It will also undergo security monitoring by the feds, and turn in report on data security measures for three years.

The fine that will be paid by Providence is actually fairly unusual, as very few HIPAA fines have actually been imposed to date. However, its security issues are also unique. While many health organizations have lost a single laptop or backup tape to theft or disorganization in recent years, I haven't encountered any that have actually had to report multiple losses. That might explain why federal monitors took a particular interest in this organization's troubles.

To learn more about the HIPAA settlement:
- read this Seattle Post-Intelligencer piece
- read this Briefings on HIPAA article

Related Articles:
IT staffer fired after data theft, sues hospital
Tenet warns of potential data theft
VA pledges better data security
Johns Hopkins investigates data breach

UnitedHealthcare breach leads to UC Irvine identity thefts

Mon, 09 Jun 2008 06:59:58 -0400

After months of investigation, it looks like a data breach at health plan UnitedHealthcare Services may be behind a large-scale rash of identity theft taking place at the University of California, Irvine. As of last week, it appeared that more than 155 graduate and medical students at UC Irvine had been hit by the identity thieves, who filed false tax returns in the victim's names and collected their tax refunds. The breach could potentially affect 1,132 graduate students enrolled with the university's graduate student health insurance program in the 2006-07 school year, officials said. The IRS notes that identity thieves have been particularly aggressive this year, as they may be able to collect not only refunds, but also the pending stimulus checks being handed out to families and individuals.

To learn more about the break-in:
- read this Computeworld piece

Related Articles:
Trend: Identity thieves get better at stealing medical records
The growing problem of medical identity theft
NY hospital worker charges with massive file theft
California expands health data breach rules

NJ flunks Medicaid data security audit

Mon, 05 May 2008 06:59:58 -0400

A new audit has concluded that New Jersey has not put adequate security measures in place to protect sensitive Medicaid program data. The review, conducted by the New Jersey Office of the State Auditor, concluded that the program isn't monitoring access to data such as Social Security and tax identification numbers, DEA numbers and birth dates. This information could be used against, not only the more than one million patients covered by the New Jersey Medicaid program, but also physicians who participate in the program. Officials with the state Department of Human Services, which runs the Medicaid program, told New Jersey legislators that employees can only access areas in which they work, which limits the systems' vulnerability. However, they admitted that they don't know which records employees view.

To learn more about the audit:
- read this Philadelphia Inquirer article

Related Articles:
CMS security holes expose patient data
Maine struggles with Medicaid billing system

U of Miami loses data on 2.1 million patients

Mon, 28 Apr 2008 06:59:58 -0400

While they contend that the data is unreadable--and therefore poses no risks--officials with the University of Miami School of Medicine have gone public with the news that someone stole back-up tapes holding health and financial information on about 2.1 million patients. The data, which contains information on patients going back through 1999, was stolen from a storage company contracted to hold the records. The data includes names, addresses, Social Security numbers and, in some cases, health and financial information. The university plans to directly notify 47,000 patients whose data could have included credit card or other payment information.

However, officials say that since the data is stored in a "complex and proprietary format," the thieves won't be able to access it. According to an analysis by computer security consulting firm Terremark Worldwide, which analyzed a similar set of back-up tapes, the nature of how the data was compressed and encoded should make it extremely difficult for thieves to access it.

To find out more about U of M's data theft problem:
- read this Florida Healthflash item

Related Articles:
NHI security breach includes data on U.S. rep
California expands health data breach rules
Johns Hopkins investigates data breach
VA pledges better data security

WellPoint data may have been compromised

Mon, 21 Apr 2008 06:59:57 -0400

While it's not clear what happened, it looks as though clinical and personal data on 130,000-odd WellPoint beneficiaries may have been accessed through the web. WellPoint has announced that during the past year, two servers operated by a vendor weren't properly secured, leaving pharmacy records, Social Security numbers, claims information and more exposed to the public. To date, WellPoint has not become aware of any identity thefts resulting from access to that data (though patients potentially could have suffered identity theft and failed to connect it to the breach). In response, WellPoint is offering potentially affected beneficiaries one year of free credit-monitoring services. It's also tightened up its security measure with help from an outside consultant.

To learn more about the breach:
- read this Chicago Tribune piece

Related Articles:
Johns Hopkins investigates data breach
Massive data loss at HCA
VA pledges better data security
Allina suffers patient data theft

U.S. hospitals have security 'blind spot'

Mon, 14 Apr 2008 06:59:57 -0400

A new study confirms what many health IT administrators already know--that hospitals aren't doing a great job when it comes to investing in security. The study, which was commissioned by risk consulting firm Kroll Fraud Solutions and published by HIMSS, concluded that hospitals' focus on medical privacy and compliance has distracted them from the threat of patient identity theft and other data breaches. While HIT administrators are very familiar with HIPAA, and eager to meet its privacy provisions, their HIPAA compliance measures won't do much to prevent fraud or malicious hacking, the study noted.

In addition, hospitals aren't being reminded as often as they should be that their peers are having security problems that could affect them, too. The HIMSS study noted that many data breaches don't get reported, given that there's no firm rules in place requiring such disclosures.

Even worse, HIT leaders and their peers may be ignorant as to just how expensive a malicious data breach can be--despite the fact that the average cost of such a breach generally is estimated at nearly $200 per record and $6.3 million per incident.

To learn more about the study:
- read this Healthcare IT News piece
- register and download the original report

Related Articles:
More hospital data security breaches
Hospitals face ID security holes
HIMSS08: IT execs ready to lock down security

NIH security breach includes data on U.S. Rep

Mon, 07 Apr 2008 06:59:58 -0400

Now this must be a little embarrassing for officials at NIH. As it turns out, Rep. Joe Barton (R-TX) was one of 3,000 patients involved in a cardiac MRI study whose records were possibly lost when a laptop computer was stolen from the agency. Not only is the loss of records on a U.S. Representative a faux pas, Barton happens to be a founder of the Congressional Privacy Caucus, which focuses on educating other Congressional offices and staff members on individual privacy issues. Though the laptop was stolen in February, Barton learned of the breach a couple of weeks ago, and didn't know his data might be involved until late March. Now Barton and colleagues are asking HHS's Inspector General to investigate why the data wasn't encrypted on the laptop, and why the agency didn't notify people sooner of the breach.

To learn more about the data theft:
- read this Modern Healthcare piece (reg. req.)

Related Articles:
California expands health data breach rules. Report
Johns Hopkins investigates data breach. Report
Massive data loss at HCA. Article
Allina suffers patient data theft. Report
VA pledges better data security. Report

UCLA staff accused of viewing Britney Spears' records

Mon, 24 Mar 2008 07:59:56 -0400

In what is unfortunately an all-too-predictable episode, UCLA Medical Center executives have said that they're investigating 13 staff members who seem to have accessed Britney Spears' medical records without authorization. The staff members are accused of viewing her non-medical records during her psychiatric stay in January. The Los Angeles Times reported that none of the staff members involved in the incident were physicians, but that they would be fired and that 12 others--including some doctors--would be disciplined. This incident follows on another, taking place in mid-2007, when two dozen employees at a New Jersey hospital were suspended without pay after viewing the medical records of actor George Clooney without authorization.

To learn more about the episode:
- read this article from Healthcare IT News

Related Articles:
Union fights suspensions for workers viewing star's records. Report
California expands health data breach rules. Report
Johns Hopkins investigates data breach. Report
Massive data loss at HCA. Article
Allina suffers patient data theft. Report
VA pledges better data security. Report

UCLA staff accused of viewing Britney Spears' records

Mon, 24 Mar 2008 07:59:56 -0400