Two hospitals in Kentucky have been forced to notify the public of data breaches under the new HITECH legislation. Both breaches involved the loss of unencrypted portable drives. According to the story in Health Data Management, one flash drive contained protected health information for 24,600 individuals admitted to the hospital since 2002.
The HITECH Act is changing the way that healthcare providers think about data security. Small devices can store massive amounts of data and should be considered high risk if they are not properly secured.
Data Security, Healthcare, Portable Storage
Connecticut AG Richard Blumenthal is suing health provider Health Net over a lost external hard drive that contained sensitive information for 1.5 million past and present customers. Under the new HITECH legislation passed last year, states can obtain statutory damages in the event of a HIPAA security breach. The hard drive was not encrypted.
In a related story, BCBS of Tennessee just notified the public about a data breach affecting 500,000 customers. 57 unencrypted hard drives have gone missing. The drives contained names, birth dates, social security numbers, and diagnostic healthcare information. BCBS will pay for credit monitoring. No word on HITECH penalties or lawsuits yet.
Data Security, Healthcare, Portable Storage
Healthcare providers are exposing private health information through the careless use of unsecured USB drives. It’s not just a problem in the United States. Last week the health department in Ontario’s Durham region lost a USB key containing data collected from 83,000 patients.
Like HIPAA regulations in the US, Ontario’s Personal Health Information Protection Act (PHIPA) requires healthcare providers “to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure”.
Data Security, Healthcare
Two recent surveys show that the Healthcare industry still has a long way to go in complying with new HIPAA security requirements. The 2009 HIMSS Security Survey found that one third of respondents had at least one known case of medical identity theft, yet only 50% have a plan in place to respond to data breaches.
The City of Detroit admitted to two healthcare-related breaches this week.
In one incident, a thief broke into a vehicle of a health department employee in October, snatching a flash drive with information from birth certificates…
The employee had backed up information on her flash drive because information was being transferred between computers at work.
The data appears to have been unencrypted. The city has offered a year’s worth of credit monitoring to anyone who was affected.
Data Security, Healthcare, Portable Storage
Health Net Inc. announced this week that it lost a portable hard drive containing the patient data of 1.5 million customers. The data was not encrypted.
Connecticut Attorney General Richard Blumenthal said he was investigating the matter and why it took Health Net six months to report the healthcare breach.
“My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”
There have not been any cases of fraud linked to the incident, but Health Net will be picking up the tab for credit monitoring services for all impacted customers.
Data Security, Healthcare
Pitt County Memorial hospital is paying credit monitoring after an employee lost a thumbdrive containing names and social security numbers.
From The Greenville Daily Reflector:
PCMH sent letters to the affected patients, offering one year of free credit monitoring and identity theft services through Debix Inc. It will include credit monitoring and insurance protection to any patient who becomes a victim of identity theft as a result of the incident.
The article does not mention what the total cost of the breach will be, but you can get an estimate here. There is also no mention of whether the device contained any protected health information (PHI) that would be covered by HIPAA. New disclosure laws recently took affect as part of the HITECH Act of 2009. If encryption is implemented on the storage device, notification is not required.
Data Security, Healthcare
Dr. John Halamka, CIO of CareGroup Health System, shares his privacy and security lessons learned. Dr. Halamka serves as Vice-Chairman of the federal Health Information Technology Standards Committee.
The workgroup’s recommendations include:
All data at rest on mobile devices must be encrypted. Encrypting all databases and storage systems within an organization’s data center would create a burden. But ensuring that devices such as laptops and USB drives, which can be stolen, encrypt patient-identified data makes sense and is part of new regulations such as Massachusetts’ data protection law.
See the full article for Dr. Halamka’s top five security lessons.
Data Security, Healthcare, Portable Storage
The new interim HIPAA Rules concerning Health IT data security take effect today, Sept 23rd. The new HIPAA rules cover any unauthorized access or disclosure of “unsecured” PHI (Protected Health Information).
The new rules are intended to ensure patient confidentiality, but there is some controversy over the “harm threshold” provision.
Congress intended for the federal rule to incentivize proactive data protection measures, such as encryption. For example, if the data involved in a breach is rendered unusable by encryption, companies do not have to issue breach notifications, the interim final rule states.
However, privacy groups are dismayed that a provision of the rule would allow Healthcare entities to opt-out of notification requirements under certain circumstances.
Data Security, Government, Healthcare
The insurance company Darwin has created a nice tool for calculating the cost of a data breach based on the number of records exposed.
Tech 404 - Data Breach Calculator
Using last month’s incident at Naval Hospital Pensacola as an example, a hospital covered by HIPAA that exposes 38,000 records may be looking at a total data breach cost of around $6 Million. Encryption technology for laptops, thumbdrives and other portable devices seems like a bargain in comparison.
Data Security, Healthcare, Portable Storage
Healthcare Informatics has a link to a HIPAA Survival Guide.
Kanguru encrypted flash drives and management console can help healthcare organizations comply with the HIPAA Security Rule for protected health information. The Remote Management Console has full logging and reporting capabilities for USB flash drive usage. This provides an audit trail for showing HIPAA compliance.
Data Security, Healthcare
Follow us on Twitter