Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Technology News

Past three years over 21m Medical record breaches

Paul Anderson by Paul Anderson
August 9, 2012
in Technology News
3
Medical Data Breach
75
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

Medical Data BreachOver the past three years, about 21 million patients have had their medical records exposed in data security breaches that were big enough to require they be reported to the federal government.

You might also like

Megaupload Plans to Return After 5 Years

Clinton pledges to grow the technology sector

Twitch.tv punishes view bot maker with a lawsuit

Since Sept. 2009, 477 breaches affecting 500 people or more each have been reported to the Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services. In total, the health records of 20,970,222 people have been compromised, the OCR said.

The Office for Civil Rights has been updating a list of the breaches on its website. The list is known to the health care industry as “The Wall of Shame,” according to the OCR.

Six health care organizations listed on The Wall of Shame reported security breaches that involved one million or more records.

Among the largest breaches reported was TRICARE Management Activity, the Department of Defense’s health care program, which reported 4.9 million records lost when backup tapes went missing. TRICARE, formerly known as Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), provides civilian health benefits for military personnel, military retirees, and their dependents.

Other major breaches included: Health Net, which reported 1.9 million records lost when hard drives went missing; the New York City Health & Hospitals Corporation’s North Bronx Healthcare Network, which reported the theft of 1.7 million electronic medical records; AvMed Health Plans in Florida, which reported the theft of a laptop with 1.22 million patient records; and Blue Cross Blue Shield of Tennessee, which reported the theft of an external hard drive with 1.02 million records.

WellPoint, the largest managed health care company in the Blue Cross and Blue Shield Association, also reported 31,700 of its customer records were compromised during the three-year time period. WellPoint’s breach occurred via a hack to a network server, according to the report.

The Nemours Foundation, a health care organization that runs children’s hospitals, also reported the loss of 1.05 million records when data backup tapes were lost.

The breach notification and reporting is part of new rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. The rules not only require the public reporting of breaches but also increased penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA), which requires organizations to safeguard patient information.

About 55,000 breach reports involving fewer than 500 records where also reported to the OCR from 2009, according to Rachel Seeger, a senior health information privacy specialist with OCR.

Theft made up 54% of the breaches, while hacking made up only 6% of the compromised data. Theft was followed by unauthorized access or disclosure for 20%, lost records and devices for 11%, improper disposal of records made up 5% and other/unknown categories made up 4%.

“By far … theft is the number one type of breach we’re seeing,” Seeger said. “We’ve really seen this as a commentary on crime in America where the thieves are not after the information in the laptop, but they’re after the laptop.”

“Most of the portable devices are being stolen out of cars or otherwise being lost. Many of these laptops are lost by an employee while in transit on public transportation,” Seeger added.

But not all the data potentially exposed is lost by the health providers themselves. For example, in a statement issued in April last year, Health Net said it was notified by IBM, its IT vendor at the time, that it could not account for “several server drives,” which contained 1.9 million patient records.

Health Net said it acted “promptly, decisively and appropriately to protect affected individuals.”

Health Net stated that it worked with IBM and other experts to investigate the incident, and it notified affected individuals whose records had gone missing “in fewer than 60 days, in accordance with federal law.” The company stated that no evidence has been found to indicate the records have been used inappropriately.

“We voluntarily agreed to provide affected individuals with two years of credit monitoring, $1 million in insurance protection and reimbursement for costs associated with the freezing and unfreezing of an individuals credit,” Health Net stated.

Hospitals, insurance plans and physician practices can avoid penalties by simply encrypting the health care data or by destroying the electronics that house the data at end of life. Unfortunately, too few organizations are getting the message.

“We’re seeing daily reports of doctors offices being broken into for the CPU, the hard drive,” Seeger said. “It’s not just the mobile device. It’s anything electronic that people can sell.”

Under the HITECH Act, there are four categories of violations that reflect increasing levels of culpability. A maximum penalty amount of $1.5 million can be levied for each violation.

When healthcare organizations violate HIPAA privacy rules, the U.S. Department of Health and Human Services (HHS) hammers out a resolution agreement with the organization. Under the agreement, the healthcare organization performs certain obligations, such as staff training, and makes reports to HHS, typically for a period of three years. The agreement likely would also include the payment of a resolution amount.

When HHS is not able to reach a satisfactory resolution through demonstrated compliance or corrective action, “Civil Monetary Penalties” may be imposed for noncompliance. To date, HHS has entered into nine resolution agreements and issued civil monetary penalties against only one organization.

HHS hit Cignet Health of Prince George’s County with a $4.3 million civil monetary penalty. Other top breaches are still under investigation, Seeger said.

OCR said it found that Cignet violated 41 patients rights by denying them access to their medical records when requested between September 2008 and October 2009.

“During the investigations, Cignet refused to respond to OCRs demands to produce the records. Additionally, Cignet failed to cooperate with OCRs investigations of the complaints and produce the records in response to OCRs subpoena,” HHS stated in a news release at the time.

On March 9, Blue Cross Blue Shield of Tennessee (BCBS) settled with the HHS to the tune of $1.5 million for 57 unencrypted computer hard drives that were stolen from a leased storage facility in 2009. BCBS has since encrypted all of its hard drives, representing 885TB of data. BCBS said it spent more than 5,000 man-hours on the encryption effort, which cost the company $6 million.

In June 26, the Alaska Department of Health and Social Services (DHSS) also settled with the HHS for $1.7 million, along with a three-year corrective action plan for the theft of an USB hard drive rom an employee’s vehicle. The hard drive had a relatively small number of records on it, representing only 501 people. That case represents the first HHS action against a state agency.

“The settlement is based on multiple violations of the Rule, not the number of records involved in the incident that sparked the investigation,” Seeger said.

The OCR found “long-standing non-compliance with the HIPAA Security Rules.”

“I think the fines and the list sends a strong signal,” she added.

Originally seen on: www.computerworld.com

Tags: breachdatainformationmedicalnews
Share30Tweet19
Paul Anderson

Paul Anderson

Editor and chief at ZeroSecurity. Expertise includes programming, malware analysis, and penetration testing. If you would like to write for ZeroSecurity, please click "Contact us" at the top of the page.

Recommended For You

Megaupload Plans to Return After 5 Years

by Paul Anderson
July 15, 2016 - Updated on May 26, 2022
0
Megaupload Plans to Return After 5 Years

The huge file-sharing website, Megaupload is scheduled to relaunch, five years after being raided and shut down by the FBI. After its owner, Kim Dotcom, was detained and...

Read more

Clinton pledges to grow the technology sector

by Paul Anderson
July 2, 2016
0
Clinton pledges to grow the technology sector

Speaking in Denver on Tuesday at a startup incubator called Galvanize, Democratic presidential hopeful Hillary Clinton made quite a few proposals concerning intellectual property and called for administrative...

Read more

Twitch.tv punishes view bot maker with a lawsuit

by Paul Anderson
June 21, 2016
0
Twitch.tv punishes view bot maker with a lawsuit

Twitch has had it with bots that unnaturally increase view counts for videos. The game-streaming company is now handing out lawsuits to programmers of these bots. In a post...

Read more

DMCA requests quadruple in two years says Google

by Kyle
June 20, 2016
0
DMCA requests quadruple in two years says Google

Google has been bombarded with DMCA takedown requests. The corporation has seen the volume of takedown notices from rights holders quadruple over the last two years. In 2016...

Read more

FBI in possession of 411 Million facial recognition photos

by Paul Anderson
June 18, 2016
0
FBI in possession of 411 Million facial recognition photos

Privacy specialists are disputing this week the FBI, which keeps a massive – and apparently even bigger than anticipated database of facial recognition photos, isn't doing enough to...

Read more
Next Post
14 Security holes to be patched by Microsoft next Week

14 Security holes to be patched by Microsoft next Week

Related News

Netwire RAT seized by FBI and other worldwide police agencies

Netwire RAT seized by FBI and other worldwide police agencies

March 16, 2023
The Emotet botnet returns and is sending a slew of malicious emails

The Emotet botnet returns and is sending a slew of malicious emails

March 14, 2023
Update-resistant malware infects SonicWall security appliances

Update-resistant malware infects SonicWall security appliances

March 12, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.