The HIPAA Wall of Shame: Major Data Breaches of 2013

Healthcare organizations were hit hard by security breaches in 2013 and millions of Americans have had their health and personal data exposed, placing them at an elevated risk of suffering identity and medical fraud.

According to the Identity Theft Resource Center (ITRC), 614 data breaches were reported in 2013; an increase of 30% from the previous year. 269 of these breaches – 43% – affected the healthcare industry, with 2013 being the first year since 2005 that healthcare has ranked higher than the business sector for data breaches.

ITRC reported hacking to be the major cause of data breaches as a whole in 2013; however it was the loss of unencrypted portable devices that resulted in the largest exposures of patient health data. Many laptop computers were stolen from vehicles and medical facilities while hacking is a growing problem.

ITRC reports the total number of individuals to be affected by healthcare data breaches to be close to 9 million, and had the Target hack – which exposed 70 million records – not have occurred; the healthcare sector would also top the breach list for the total number of individuals affected.

The industry is seen as an easy target for hackers due to a relative lack of security controls and there are considerable incentives for thieves with the value of healthcare data and Social Security numbers being far higher than credit card numbers. With healthcare data thieves are able to make false medical and insurance claims, commit identify fraud and run up bills of thousands of dollars; far more money than can be obtained with credit card numbers.

Unless healthcare organizations take decisive action and improve their IT security systems the problem is only likely to get worse. Given the current state of HIPAA compliance, 2014 looks like it will be a year of mammoth data breaches.

The Office for Civil Rights of the Department of Health and Human Services is charged with enforcing HIPAA Privacy and Security Rules and it has been a busy year. The OCR investigates HIPAA breaches and can issue heavy fines for covered entities that fail to implement the appropriate security controls to protect PHI. Many of the large-scale breaches below could well see financial penalties issued.

Data breaches are posted on the HHS website, commonly referred to as the OCR’s ‘Wall of Shame’, and the figures for 2013 make for depressing reading: The vast majority of these HIPAA breaches could all too easily have been prevented had Data privacy and security rules been followed.

Largest Healthcare Data Breaches of 2013

Advocate Medical Group – Laptop Theft – 4,029,530 Records

The theft of four laptops on July 15, 2013 exposed the records of over 4 million patients of Advocate Medical Group in what was the second largest HIPAA breach ever to be reported. The incident exposed almost as many records as the Tricare data breach in 2011. That breach resulted in a class action lawsuit being filed for damages of $4.9 billion, and a class action suit has already been filed against Advocate Health for its mammoth HIPAA breach.

The data stored on the laptops included Social Security numbers, personal identifiers and Protected Health Information, although no credit card details were stored on the laptops.

Horizon Healthcare Services, Inc. (Horizon Blue Cross Blue Shield) – Laptop Theft – 840,000 Records

Two laptops stolen from Horizon Blue Cross Blue Shield headquarters in Newark, NJ, on the weekend of November 1-3 resulted in the Protected Health Information and personal identifiers of 840,000 individuals being compromised. The laptops were located in its third floor offices, were secured with cable locks and had password protection, although the data was not encrypted.

A similar breach affected the insurer in 2008 when a stolen laptop caused 300,000 patient records to be exposed; however even after this breach Horizon Blue Cross Blue Shield did not implement a data encryption program to protect patient data.

AHMC Healthcare – Laptop Theft – 729,000 Records

Thieves gained access to the offices of AHMC healthcare over the weekend of October 10 and stole two laptop computers which contained unencrypted PHI and personal identifiers of 729,000 Medicare patients from six California hospitals operated by AHMC.

The data included names, addresses and other personal information as well as medical diagnoses and health insurance information. Over 70,000 patient records also included Social Security numbers. AHMC healthcare had conducted a full risk analysis, although the theft occurred before it had encrypted the data on its mobile devices.

Texas Health Harris Methodist Hospital Fort Worth – Improper Dumping – 277,014 Records

Texas Health Harris Methodist Hospital Fort Worth suffered one of the year’s most peculiar HIPAA breaches when one of its vendors and business associates – Shred-it – failed to destroy a number of microfiche films. The films were later discovered in numerous public locations in the Fort Worth area.

Microfiche films require special equipment to view the data so the risk of identity theft was perceived to be low, although 277,014 individuals were believed to have been affected. Although it is not clear exactly what data was stored on the films they were believed in include some Social Security numbers, personal identifiers and other protected information.

Indiana Family & Social Services Administration – Programming Error – 187,533 Records

A business associate of Indiana Family & Social Services Administration inadvertently exposed the Protected Health Information of 187,533 patients when a computer programming error caused patient data to be mixed in with an FSSA mailing.

The information exposed was highly detailed and contained financial information in many cases. 3,926 patients also had their Social Security numbers divulged. The programming error was made on April 6, 2013 but was not discovered for 6 weeks and all mail sent between those dates was affected.

University of Washington Medicine – Malware Infection – 90,000 Records

An E-mail attachment infected with malware took control of a UW Medicine computer and potentially gave hackers access to the Protected Health Information and personal details of up to 90,000 of its patients.

The breach occurred on October 2, although the infection was quickly identified. However, during the time the malware was active it could potentially have exposed Social Security numbers, medical diagnoses and treatments, dates of birth and contact information of UWM patients.

Lucile Packard Children’s Hospital – Laptop Theft – 57,000 Records

The theft of an unencrypted laptop computer from the car of a physician from Lucile Packard Children´s Hospital of Palo Alto, California potentially exposed the Protected Health Information of approximately 57,000 patients of the pediatric hospital and Stanford School of Medicine.

The theft took place on January 9, 2013 and names, dates of birth, health record numbers and some clinical data of patients was exposed. This was the third major breach to affect the Lucile Packard and Stanford University in the last 3 years.

Froedtert Health – Computer Virus – 43,000 Records

A computer virus that infected the PC of an employee at Froedtert Health potentially gave hackers access to the Protected Health Information and personal identifiers of approximately 43,000 patients of the healthcare provider’s three Wisconsin hospitals.

The infection was discovered on December 13 and potentially allowed hackers to access patient names, addresses, phone numbers, dates of birth, clinical information, insurance details and a limited number of Social Security numbers.

Cottage Hospital, Cottage Health System – Lost Device – 32,755 Records

An error made by a Cottage Health System Business Associate – Insync – resulted in electronic protections being removed from a server containing 32,755 medical records, and also allowed a confidential file to be indexed by Google.

The data was accessible between October 8, 2012 and December 2, 2013 – 14 months – and included lab test results, clinical diagnoses, medical procedures, medical record numbers and account numbers, although no Social Security numbers were exposed in the breach.

Cogent Healthcare, Inc. – Unsecured Server – 32,151 Records

A Business Associate of Cogent Healthcare inadvertently turned off a firewall used to protect a server which resulted in the Protected Health Information of 32,000 patients being accessible through the search engines. The breach occurred when the firewall was turned off on May 5, 2013 with the error not discovered until more than a month later on June 24.

M2ComSys was employed to provide transcription services and had stored the data it was provided on an insecure server. No Social Security numbers were exposed, although medical histories and personally identifiable information was present in the data.

Orthopedics & Adult Reconstructive Surgery – Loss of Portable Device – 22,000 Records

A Business Associate of Orthopedics & Adult Reconstructive Surgery – AssuranceMD – allegedly lost an unspecified portable device which is believed to have contained the unencrypted health data of approximately 22,000 patients. The incident occurred between January 3 and March 13, although few details of the incident were released. The exact data which was potentially exposed is unknown.

The device was provided to the business associate in order to increase data privacy and security measures and comply with State regulations; however the device was lost before the data could be converted to the more secure format required by its new electronic medical record system.

Raleigh Orthopaedic Clinic – Recycling Scam – 17,300 Records

A vendor used by Raleigh Orthopaedic Clinic to convert old x-ray films into digital format potentially exposed the data of 17,300 patients. The x-ray films included patient dates of births and names.

The Raleigh clinic was scammed into providing the x-rays in order for its bogus vendor to sell the films to a recycling center to obtain the silver they contained. The records are believed to have been destroyed although it is not clear if any of the information was viewed.

Delta Dental of Pennsylvania – Mailing Error – 14,829 Records

A Business Associate of Delta Dental of Pennsylvania suffered a breach on March 20 after a number of paper records were lost, which potentially exposed their names and social security numbers of 14,829 employees of the Select Medical Corporation.

Correspondence containing ePHI was sent using USPS Priority Mail; however the letter arrived opened and a number of the records were discovered to be missing. It was not clear whether data was stolen or if the envelope was not properly sealed.

Lucile Packard Children’s Hospital – Laptop Theft – 12,900 Records

Lucile Packard Children’s Hospital suffered a second data breach in 2013 which exposed 12,900 patient records. This was the 5th security breach to affect the pediatric hospital since 2010. The breach occurred when a disused laptop computer was stolen from one of its access-controlled offices.

The laptop was decommissioned and had a broken screen; however the data it contained was unencrypted. It is not clear what information was contained on the laptop although it is believed to include personal information and PHI of its pediatric patients.

United HomeCare Services, Inc. – Laptop theft – 13,500 Records

A laptop computer stolen from the car of an employee of United HomeCare Services on January 8, resulted in approximately 13,500 patient records being compromised. The data included names, addresses, medical diagnoses, physician names and medical record numbers; although no Social Security numbers were exposed.

The healthcare provider was already in the process of encrypting the data on its laptop computers; although not in time to prevent the data breach. The breach was reported to the OCR as having affected 12,299 patients although a subsequent investigation revealed a further 1,318 had been affected.

Preventing HIPAA Breaches

Over the course of 2013 Business Associates were responsible for a many of the major breaches. The Omnibus Final Rule now allows financial penalties to be issued by the OCR – and Attorney General’s Offices – to business associates directly and they are now accountable for any HIPAA breaches they cause.

Healthcare providers still have a responsibility to ensure their Business Associates are aware of HIPAA regulations covering the privacy and security of patient health data and should make sure that the appropriate controls will be employed to protect that data.

A high proportion of this year’s HIPAA breaches resulted from the loss or theft of laptop computers, memory sticks and portable hard drives. While it is not possible to prevent thieves from stealing equipment, all staff issued with mobile devices containing PHI must be trained on HIPAA regulations and instructed not to leave their devices unattended.

However the most effective method of protecting devices which store or touch ePHI is to encrypt the data. If encrypted devices are stolen, the data they contain cannot be accessed and will therefore not result in a HIPAA breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.