NRAD Medical Associates Reports 97K-Patient HIPAA Breach
NRAD Medical Associates has announced that it has suffered a major security breach which has compromised the personal and medical data of up to 97,000 of its patients. The Garden City, NY healthcare provider has issued breach notification letters to all affected patients – as required by the HITECH Act and HIPAA breach notification rule – to warn them that their records have been inappropriately accessed by a former employee. The employee in question was a radiologist who is alleged to have “accessed and acquired” up to 97,000 records on or around April 24th, 2014 by gaining access to NRAD’s billing systems. While it would appear that the radiologist took the data for personal or financial gain, NRAD informed patients that it is not aware of any external misuse of the information that the employee acquired and it believes patients face only a very low risk that their medical and health information will be used for fraudulent purposes. NRAD confirmed that as soon as it became aware of the breach it took rapid action to mitigate any damage, and also terminated the unnamed...
Online Thieves Steal 1.3 Million Patient Records
The recent security breach at the Montana Department of Public Health and Human Services involving the ePHI of 1.3 million patients may not be the largest data theft to date, but it certainly ranks as one of the largest potential HIPAA security breaches reported to date, and is the biggest data breach caused by hackers at the time of writing. Not only has the data been accessible in full by hackers, access to the data was possible for almost 12 months before the security breach was identified and access blocked. Officials have determined that the data was first accessed in July 2013 with a second attempt to access the data also occurring on May 22 this year. The identities of the intruders have so far not been established. The data has now been transferred to a new secure server. Without a safeguard in place to alert the network operator to the unauthorized access in real-time, the cyberattack allowed the perpetrators to gain full unmonitored access and take their time exploring the data held on the server. In spite of the long window of opportunity, no evidence has been found to...
Study Highlights Mobile Data Security Concerns
A recent comparative study conducted on mobile phone users on both sides of the Atlantic has highlighted the differences and similarities in attitudes about the security of mobile phones and the data they contain. The survey, conducted by iReach Insights on behalf of Inhance Technologies, set out to investigate attitudes to mobile phone security and whether there is interested in enhanced product warranties which include coverage of the data contained on mobile devices. The data from the survey showed that in both the UK and the USA mobile phone users are concerned about the security of the data stored on their phones and in the cloud. While today’s Smartphones are expensive, the majority of users rate the data stored on their mobiles as being at least of equal value to the phone itself. Three quarters of U.S respondents believed the data to be of equal value as the phone, with the figure rising to 80% in the 18-54 age range. Fear of loss of a phone has increased with over a quarter (27%) of U.S respondents more worried about the loss of their device than 12 months previously,...
Possible HIPAA Breach Sparks University of Cincinnati Medical Center Investigation
An investigation has been launched following a complaint about a data breach at the University of Cincinnati Medical Center. The HIPAA security breach occurred when a hospital employee in the financial services division accessed the data of a patient and shared that information with a third party, who subsequently used the information to conduct a hate campaign on Facebook. The hospital took action rapidly when the incident came to light and terminated the employment of the individual in question, with legal action soon to commence. This incident was reportable under HIPAA guidelines to the Office for Civil Rights and while the hospital claims to have issued a notification to the OCR, the OCR was unable to confirm whether the report had been received. A failure to report the incident would be a direct HIPAA violation, although the University of Cincinnati Medical Center claims to have documentation to prove that the notification of the data breach was made via the HHS website well within the notification deadline. Fines are issued by the OCR for data breaches as well as HIPAA...
Rady Children’s Hospital Reports 14,000-Record HIPAA Breach
Despite major efforts to secure its healthcare data from hackers and external threats, Rady Children’s Hospital has suffered a 14,121-record HIPAA breach after a member of staff made a simple error which resulted in six job applicants being provided with real data from its patients. As part of an internal evaluation, job applicants were provided with data that had not been de-identified, which is a breach of the HIPAA Privacy Rule. The data included the patients’ names, dates of birth, medical records, insurance claim information and primary diagnoses, although no financial information or Social Security numbers were divulged and neither were patient addresses. The names of parents or legal guardians were not present in the data set. The breach affects patients who had visited the hospital for treatment between July 1, 2012 and June 30, 2013. The data – in the form of a spreadsheet – was sent to the applicants via email; an insecure medium for transmitting PHI. The spreadsheet was emailed to four potential members of staff who had applied for data management positions...



