27 Year Sentence Issued for PHI Theft and Fraud
Violations of HIPAA Privacy Rule carry stiff sentences, with up to 10 years in jail possible for theft of PHI for personal gain; however using stolen data to commit fraud can carry a far stiffer penalty as James Lee Cobb, III, recently discovered. Florida Middle District Judge, Charlene Honeywell, recently passed a sentence of 27 years for the use of stolen healthcare data. Cobb, along with his co-conspirators, obtained protected Health Information stolen from healthcare providers and used the data to obtain pre-paid debit cards and file false tax returns in the names of the victims. Medical data carries a high value on the black market as the information can be used to steal identities, with criminals able to them run up thousands, if not millions in debts. Often the victims are unaware of the theft and do not discover their data has been used inappropriately until many months after the information was stolen. It is not clear how Cobb actually obtained patient data, but information stolen from hospital and healthcare providers can be purchased online through hidden dark net sites....
Flash Drives Go Missing from Lancaster County EMS
Sometimes even the best protections are not enough, as Lancaster County, EMS, S.C discovered when a safe used to store unencrypted flash drives securely was discovered to have gone missing. A thorough search of the building was organized but the safe, along with its contents, were nowhere to be found. County officials have stated that they have no reason to believe that the information has been used inappropriately but there is a risk that the safe has been opened and the contents – two flash drives and two computer hard drives – may have been accessed. The information contained on the devices included names, home addresses, dates of birth and Social Security numbers. It is highly probable that the data also included details of the patient’s health status and injuries, since the information related to patients collected by the county’s ambulances. While the total number of records has not been disclosed, the data covers a period of 10 years between 2004 and 2014. A WSOC news report indicates that last year alone the EMS dealt with 13,000 individual transports. It is therefore...
Penn State Hershey Medical Center Announces HIPAA Breach
Penn State Hershey Medical Center, in accordance with HIPAA Rules, has issued a breach notice out of an “abundance of caution” after an employee copied Protected Health Information (PHI) onto an unencrypted flash drive, took it home, copied it onto his home computer and emailed it to a couple of doctors authorized to view the information. The healthcare provider does not believe any information was inappropriately viewed by any unauthorized individuals, but has proceeded with a breach response to ensure that all patients are aware of the incident to allow them to take precautions should they wish to do so. Following the discovery, the hospital initiated an investigation to determine the data that could potentially have been exposed in the incident, and to find out if any information had been improperly accessed. That investigation did not cover any evidence of disclosure of PHI. However, the possibility that data has been viewed by unauthorized individuals or has been copied cannot be eliminated, hence the issuing of breach notification letters. 1,801 Potential Affected by Health...
Privacy Concerns Mount Over Government MIDAS Healthcare Database
In order to protect the privacy of Americans, Protected Health Information and other highly sensitive data must have a finite lifespan. When data is no longer required it must be securely destroyed. Holding data indefinitely is an unnecessary security risk, yet the government is recording healthcare information in its MIDAS – Multidimensional Insurance Data Analytics System – database indefinitely. The MIDAS database is maintained by CACI under government contract, and is owned by the Centers for Medicare and Medicaid Services. The MIDAS database is a critical component of Barack Obama’s Healthcare reform, and is instrumental to the smooth running of the system. The database has been in operation for four years, and serves as a perpetual central repository for all data collected. That data includes Personally Identifiable Information (PII) and Protected Health Information (PHI) and well over a million Americans, and that number is growing. Individual’s full names, addresses, contact telephone numbers and home addresses are stored with passport numbers, Social Security numbers,...
Recent Equipment Thefts Bring Data Encryption Issue to the Forefront
Cybersecurity is a hot topic at board meetings; the healthcare industry is under attack and cybersecurity defenses must be improved. While boards may be preoccupied with the threat from hackers – it is often perceived to be the biggest cause of HIPAA breaches – it is important not to forget about lower-tech attacks. Hackers are breaking through healthcare providers defenses to obtain PHI, but there are easier ways for thieves to obtain data: A fact that has certainly not been overlooked by the criminal fraternity. Theft of equipment containing Protected Health Information is also a major cause of HIPAA breaches, in spite of affordable technology existing to prevent data disclosure. Healthcare Providers Must Tackle Device Loss and Theft The spate of recent thefts reported by healthcare providers and health plans shows that while cybercriminal activity is on the rise, theft of devices containing unencrypted PHI is keeping pace. The risk of HIPAA breaches from the theft and loss of equipment simply cannot be ignored. It is an ever-present threat. Current figures may suggest...



