New Data Breaches Reported by Kindred Healthcare and Rite Aid
Two new data breaches have been announced, highlighting the difficulty organizations have in preventing the exposure of Protected Health Information. Even robust physical, technical and administrative controls are oftentimes insufficient to prevent the exposure of sensitive information. It is therefore essential to have a data breach response plan which can be enacted immediately upon discovery of a security breach.
Kindred Healthcare Discovers Locks are not Enough to Prevent Device Theft
Healthcare providers are required to implement a host of technical controls to prevent the exposure of PHI under HIPAA Rules; however the volume of records stolen in recent months suggest that some healthcare providers fail to adequately physically secure files, medical images, and computer equipment. However, even when files and equipment are secured under lock and key, there is no guarantee that the PHI is safe.
Kindred Healthcare, a Louisville, KY. healthcare company that operates a number of hospitals and nursing centers throughout the United States, took a number of steps to secure its computer equipment, yet even with protections in place, a desktop computer was stolen from its Kindred Transitional Care and Rehabilitation offices in Lawton, CA.
In addition to physical controls, the computer was protected by a password, although the data on the desktop computer was not encrypted. As such, there is a risk that the PHI on the PC could potentially have been accessed by unauthorized individuals.
The theft is understood to have occurred over the weekend of August 29/30, 2015, and was discovered when staff returned to work on Monday August, 31. In accordance with the HIPAA Breach Notification Rule, Kindred Healthcare implemented its data breach response plan immediately, and began an investigation to determine the data stored on the desktop computer. The following day, Kindred determined that the computer contained patient data classed as PHI under HIPAA, which included patient names, admission and discharge dates, Patient ID numbers, days of Medicare use, and some accounting information relating to co-payments made by patients.
In contrast to many healthcare providers who delay the issuing of breach notification letters to data breach victims, Kindred Healthcare issued breach notification letters to all affected patients within three weeks. The fast breach response should be commended. It may not always be possible to prevent a data breach, but it is possible to take rapid action to reduce the risk of criminals causing patients to come to financial harm.
While there is a possibility that the information has been viewed by unauthorized individuals, the risk of that information being used inappropriately is relatively low, as crucially Medicare numbers, insurance information, Social Security numbers, and credit card details were not stored on the computer’s hard drive.
The incident shows that even with physical and basic technical controls in place to safeguard sensitive data, it is not always possible to prevent a data breach.
Malware Infection Exposes Rite Aid Customer Data
Rite Aid is no stranger to data breaches, having suffered a security breach involving paper records/films every year since 2011. This time it was not the Rite Aid Corporation or one of its stores that was affected, instead a third party vendor, PNI Digital Media (PNI), was targeted by hackers.
The service provider failed to prevent malware from being installed on its servers, which potentially could have allowed an unauthorized individual to gain access to sensitive customer data. Fortunately, only a limited number of customers were affected, which according to the breach notice issued to the California Department of Justice, “Did not involve the compromise of any Rite Aid computer system, and RiteAid.com, Rite Aid Online Store, My Pharmacy, wellness+ with Plenti, and in-store systems were not impacted.”
However, credit card number used to make purchases via mywayphotos.riteaid.com during the period that the malware was present on the servers were potentially obtained by criminals. That data included credit card numbers, security codes, expiration dates, and names of card holders. Other data exposed included customer email addresses and home addresses.
Malware was inadvertently installed on the company’s servers on August 20, and remained until July 14. Upon discovery of the infection, Rite Aid shut down access to its online photo service to prevent further data exposure and the malware was removed. The subsequent investigation conducted by PNI did not reveal any misuse of data, although a year of credit monitoring services have been offered to affected individuals as a precaution against credit card fraud.