Healthcare Industry Data Breaches in 2015
2015 has been a difficult year for healthcare industry cybersecurity professionals. More confidential records have been exposed in 2015 than since the OCR started publishing healthcare data breach reports. Huge healthcare industry data breaches at Anthem Inc., Premera BlueCross, Excellus BlueCross BlueShield, UCLA Health, Medical Informatics Engineering, and CareFirst BlueCross BlueShield have been suffered this year. 2015 Healthcare Industry Data Breaches Have Exposed 120 Million Records With so many large-scale data breaches suffered this year it is perhaps no surprise that healthcare industry data breaches have affected more people than breaches suffered by organizations in other industries. The latest figures from the Identity Theft Resource Center (ITRC) indicate over 120 million people have had their medical and/or personal data exposed so far this year as a result of healthcare industry data breaches. That represents 68.1% of the total number of breach victims created so far in 2015 across all industry sectors. The ITRC first started charting data breaches back in 2005. To...
Texas Attorney General Takes Action over Improper Disposal of PHI
Legal action has been taken by the Texas attorney general’s office against Alliance Health Management & Consulting Inc., for the improper disposal of Protected Health Information (PHI) of patients. The home healthcare management company is no longer in business, having ceased trading in July 2009; however last year, documents containing the PHI of patients were discovered to have been discarded in a dumpster without first having been rendered indecipherable. HIPAA Rules Covering the Disposal of Protected Health Information The HIPAA Privacy Rule requires covered entities to implement physical safeguards to keep all forms of PHI secured at all times. When PHI is no longer required by a covered entity it must be disposed of securely (45 CFR 164.310(d)(2)(i) and (ii)). PHI must be destroyed, or rendered unreadable and indecipherable. It must not be possible for any element of PHI to be reconstructed. The exact method that must be used to destroy records is not stipulated by HIPAA Rules, although for physical records the OCR recommends pulping, burning, shredding, or pulverizing....
OCR Settlement Reached with Lahey Hospital
The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights (OCR) over alleged HIPAA violations following a data breach that occurred back in October, 2011. Lahey Hospital and Medical Center has agreed to pay $850,000 to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to adopt the OCRs corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. The settlement covers six ‘potential’ violations of HIPAA Rules, specifically the failure to implement appropriate administrative and physical controls to prevent the accidental disclosure of ePHI. Failure to Safeguard ePHI Results in $850,000 Settlement The incident which led to the OCR investigation involved the theft of an unencrypted laptop computer that had been left in an unlocked treatment room at the hospital. The laptop contained data recorded from one of the medical center’s CT scanners. The laptop contained electronic Protected Health Information of 599 patients. A financial penalty was...
Howler of a HIPAA Breach: 15K Social Security Numbers Emailed to Patients
A New York doctor made a simple but highly serious error this week that resulted in approximately 15,000 Social Security numbers and other Protected Health Information (PHI) being emailed to patients. Instead of attaching a coupon to an email, a spreadsheet containing patient names, appointment dates, home addresses, and Social Security numbers was attached and sent, according to an NBC news report. One patient said dates of birth were also included in the spreadsheet, although this was not confirmed by the doctor’s office. The patient also claimed the email said “coupon attached.” The email was sent from the office of Dr. Mary Ruth Buchness. Staff at the office were quickly alerted to the error by patients, and action was taken to recall the message. According to a member of staff from the office, only “a handful” of individuals had opened the email before it was recalled. Recalling a message may not always be successful, and it may be some time before it is known how many people actually viewed the data contained in the spreadsheet. At the present moment in time it is not clear...
PHI Data Breaches Occur in Most Industry Sectors
Healthcare organizations and other HIPAA-covered entities are required to report PHI data breaches to the Department of Health and Human Services’ Office for Civil Rights, so it is easy to track the security breaches suffered over the past few years. However, PHI breaches are not specific to the healthcare industry. Protected Health Information is stored by all manner of organizations, and all are at risk of suffering PHI data breaches. According to a recent study conducted by Verizon Enterprise Solutions, PHI data breaches have been suffered by 90% of companies, including non-healthcare organizations. PHI is not just stored by healthcare providers and insurers. PHI is contained in HR files, in addition to employee program data and workers’ compensation schemes. Verizon completed an analysis of PHI data breaches that have occurred over the course of the past 20 years. 1,931 individual PHI data breaches were analyzed as part of the study. Those data security incidents exposed the PHI of 392 million patients and employees. The HHS’ Office for Civil Rights and the Department of...



