Archive for the ‘Health Security’ Category

Earlier this summer, the Connecticut Attorney General Richard Blumenthal filed and settled the first HIPAA-related lawsuit. Following suit in other HIPAA news, pharmacy chain Rite Aid has now been levied with a $1 million fine for violations to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

According to federal charges, Rite Aid improperly disposed of prescription information. The Office for Civil Rights (OCR), which enforces HIPAA, has come to an agreement with Rite Aid and its 40 affiliated entities for the $1 million fine and for Rite Aid to take corrective action to improve its privacy policies and procedures.

“It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information,” said Georgina Verdugo, director of OCR, in a statement from the the Department of Health and Human Services.

In addition, the Federal Trade Commission has demanded that the company undergo frequent security audits.

This is the second settlement as a result of a joint HHS and FTC investigation. The two agencies worked together on a similar case involving CVS Caremark in February 2009, which resulted in a $2.25 million fine for the pharmacy chain.

Via SC Magazine

Who Breached: South Shore Hospital
Number Affected: 800,000
Information breached: personal (including SSNs), health and financial information
How: lost backup tape

South Shore Hospital has notified 800,000 patients after back-up tapes containing personal, health and financial information were lost by a professional management company which was to destroy the files. This is, sadly, a case of best-laid security intentions (taking the right steps to properly dispose of unwanted data) gone awry.

South Shore Hospital failed to receive a certificate of destruction for the data. Upon this, they pressed the data management company for an explanation and, months later, were informed that some of the shopped back-up computer files had gone missing.

This case is proof that data breaches can and do occur even when you take the precautions to avoid them. There is no combination of security precautions that can provide 100% security against data breaches – the best you can do is be proactive and to be prepared for breaches, should they occur.

If you have received a notification letter, South Shore has set up an FAQ on the incident here.

Via dataloss.db

As we previously mentioned, Connecticut Attorney General Richard Blumenthal filed the first HIPAA-related lawsuit. That lawsuit has now been settled, also a first.

The settlement agreement [PDF] between the State of Connecticut and the defendants (Health Net) is the result of the loss of a computer disk drive that had unencrypted health information for 1.5 million health plans. Health Net, under the terms of the settlement, has agreed to pay $250,000 to the state of Connecticut, offer 2 years of credit monitoring to those affected, obtain identity theft insurance and reimburse those affected for security freezes. They will also be required to greatly improve their security measures.

In addition, if the information that was breached is misused, there are further financial payments that would be required under this settlement.

To learn how Absolute Software can help you mitigate potential data breaches, check out our Endpoint Security whitepaper.

Via Privacy Law Blog

Healthcare CIOs recently sat on an e-healthy panel at the MIT Sloan CIO Symposium in Cambridge. The panel was of the consensus that human error would continue to cause data breaches despite advances in security technologies.

The panel believes that users must fully understand the risks involved with their behaviour before security can be improved.

While advancements in security technology better protects patient data, and regulations like HIPAA aim to set rules for information security and privacy, some breaches boil down to humans making mistakes…

Despite solid attempts at security protection and other precautions, healthcare organizations need to emphasize–and continue to remind–employees about simple things they need to do to prevent patient privacy breaches.

Absolute has always advocated a layer approach to security to help eliminate the human factor. Do you have questions about your healthcare security? Check out our brochure on security for healthcare computers.

image: sxu.hu

Who Breached: Ontario Teachers Insurance Plan
Number Affected: 8,600
Information breached: Social Insurance Numbers
How: laptops stolen

On December 3rd, laptops containing the private information (names, address, social insurance numbers) of about 8.600 Ontario teachers was stolen from the Waterloo offices of the Ontario Teachers Insurance Plan. Those affected were notified of the breach in mid-January.

The theft is characterized by police as a “smash and grab” with the laptops being one item among those stolen. This theft comes one month after a USB key containing some personal health information of 80,000 people was lost in Ontario.

It is not clear what security precautions, if any, were on the stolen laptops. We do know the laptops were unencrypted, so likely other security precautions were also not taken.

Act now to protect your own assets and the information on those assets by having a strong mobile data security policy and calling Absolute to ask about our laptop security solutions. For those in the healthcare field, please refer to our Healthcare Resources page.

The first HIPAA-related lawsuit has just been filed by Connecticut Attorney General Richard Blumenthal. The AG is suing Health Net of Connecticut for failing to secure private patient medical records and financial information for 446,000 Connecticut residents and for failing to promptly notify those at risk from the breach.

In his lawsuit, Blumenthal is seeking a court order blocking Health Net from further HIPAA violations.

“Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months—most likely by thieves—before Health Net notified appropriate authorities and consumers,” said Blumenthal. “The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers.”

A forensic consulting firm had determined that the data at Health Net was easily viewable, lacking encryption or other protections from unauthorized access. This went against company policies and against HIPAA compliance law.

For more about HIPAA, see our past articles here and here.

Via IronKey Blog, Health Imaging ; Image: clipart

A Blue Cross and Blue Shield Association employee broke protocol by transferring the names, addresses, Social Security numbers and provider identification numbers of about 800,000 doctors to his personal laptop.

Unfortunately, his computer was stolen from his car this past August but, as of yet, there haven’t been any signs of identity theft.

The affected physicians have been informed and, thankfully, no patient information was included in the database.

A representative for the health insurance company was quoted in the Chicago Tribune as saying: “At this point, we have no evidence that the data was misused.  We think this was a random criminal act. Regardless, we take these kinds of breaches extremely seriously and so we are alerting all doctors in the database.”

In an attempt to offset any negative consequences associated with the theft of the laptop, the Blue Cross association is offering crediting monitoring services to the individuals whose Social Security information was exposed.

It goes without saying that this is really a worst-case scenario, since so many could be affected by this breach and the laptop hasn’t been recovered.  This is an unfortunate example of how the mistakes of a single person could after thousands of people. 

In a situation like this, using a program like Computrace would be helpful since sensitive data can be deleted remotely and the Theft Recovery Team will work with local police to try to find the stolen laptop – and the thief who stole it. And once the they have the laptop back, Computrace can be used to help determine if files were accessed post-theft. While it would still be important to be vigilant for signs of identity theft, the risk would be considerably lower.

There are many types of information that people don’t want to share with the world but someone’s personal medical history is probably at the top of that list.  The reasons we visit the doctor’s office can vary from mundane to downright embarrassing (or even scary), so it’s no surprise that many patients really depend on the rules surrounding confidentiality to protect this very private information.

Unfortunately, medical students may not realize the importance of patient privacy, which is evidenced by the fact that we’ve started seeing disclosures more and more through the use of social networking tools and modern technology.  For example, one surgeon found the fact that his patient had the words “hot rod” tattooed on his genitals so funny that he took a picture and shared it with his colleagues. 

As CNN reports, 60% of medical schools “have had students post inappropriate or unprofessional information on the Web.”  While most of this information pertained to their own behavior, 13% of them shared content that violated patient privacy.  Incredibly, there were even instances when some students were so descriptive that their patients were identifiable. 

Incredibly, only 38% of the affected schools had policies in effect to deal with inappropriate sharing on the internet but, at least, 11% of the remaining schools were working on creating guidelines. 

This illustrates the fact that many professions have not had to deal with internet security issues on this level but, while some are trying to actively address the issues, the public is at risk in the meantime. 

image: sxu.hu

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into law in February 2009, will come into effect on February 17, 2010. This new Act, in addition to encouraging doctors and hospitals to use electronic health care records systems, changes privacy requirements. The new privacy requirements strengthen those requirements already mandated by HIPAA.

Some of the changes that HITECH will mandate, in regards to privacy requirements, include:

• Definition of Personal Health Information (PHI) expanded
• Stronger data breach notification requirements
• Increased penalties for HIPAA violations and more aggressive enforcement, including criminal cases
• Subjects business associates to civil and criminal penalties for violating HIPAA requirements
• Defined guidelines on how to protect PHI

In terms of data breaches, HITECH will require that individuals be notified if their PHI has been accessed and that information was unsecured, unencrypted or not deleted from a computer using an a method that meets the standard (such as the Computrace Data Delete feature). The act requires that vendors notify the individual of the breach even if identity theft is not probable, which is a much stronger requirement than many State notification requirements.

Though the effective date for HITECH is not until February, 2010, in August of this year the US Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) will synchronize their respective regulations and issue interim final regulations.

Healthcare organizations will need to address these new HITECH requirements by strengthening their data security measures. Computerworld has put together 5 Steps to HITECH Preparedness that’s very worth the read.

Image: clipart

The National Health Care Anti-Fraud Association (NHCAA) estimates that 3% of all healthcare spending – about $68 billion – is lost to fraud each year in the United States. The FBI / CDC estimate that figure could be as high as 10%, or $226 billion.

In the past, we’ve talked a great deal about the impact that fraud has on businesses and on consumers, including those affected by medical fraud. But we have yet to talk about the cost – the billions of dollars – this fraud is costing all of us in other ways.

Whether you have employer-sponsored health insurance or you purchase your own insurance policy, health care fraud inevitably translates into higher premiums and out-of-pocket expenses for consumers, as well as reduced benefits or coverage. For employers—private and government alike—health care fraud increases the cost of providing insurance benefits to employees and, in turn, increases the overall cost of doing business.

The NHCAA estimated in 2007 that $2.26 trillion was spent on health care and the 4 billion health insurance claims processed in the US. They conservatively estimated that $68 billion of this was lost to fraud, quite an astounding figure. The majority of health care fraud was found to be committed by a small number of dishonest health care providers submitting false claims to insurers and to public programs. Other types of provider-initiated fraud can be found here.

This abuse of claims can have damaging effects on patients who may find themselves victims of medical identity theft, with their insurance benefits affected by misuse. In addition to providers, organized criminal groups and individuals also perpetrate health care fraud. The report includes examples of crime rings that shifted from illegal drug trafficking to medical fraud schemes, resulting in millions of dollars in fraud.

If you want to learn more about health care fraud, read here.

Hat tip to I’ve been mugged ; Via dotmed ; Image: clipart