The Philadelphia Inquirer reports a on a major data breach at Keystone and AmeriHealth Mercy Health Plans.
A spokesperson for the companies responded to questions for a follow up article:
CSO Blog has a short explanation of the HITECH Act and its implications for Healthcare providers and 3rd party partners. The author also outlines some steps you can take to lower the risk of a data breach. These include taking an inventory of all Protected Health Information (PHI) and using encryption on all storage devices.
IT Governance Blog has an update on the latest incident involving an NHS Trust, and a possible solution to the problem of unsecured USB sticks.
Two hospitals in Kentucky have been forced to notify the public of data breaches under the new HITECH legislation. Both breaches involved the loss of unencrypted portable drives. According to the story in Health Data Management, one flash drive contained protected health information for 24,600 individuals admitted to the hospital since 2002.
The HITECH Act is changing the way that healthcare providers think about data security. Small devices can store massive amounts of data and should be considered high risk if they are not properly secured.
Connecticut AG Richard Blumenthal is suing health provider Health Net over a lost external hard drive that contained sensitive information for 1.5 million past and present customers. Under the new HITECH legislation passed last year, states can obtain statutory damages in the event of a HIPAA security breach. The hard drive was not encrypted.
In a related story, BCBS of Tennessee just notified the public about a data breach affecting 500,000 customers. 57 unencrypted hard drives have gone missing. The drives contained names, birth dates, social security numbers, and diagnostic healthcare information. BCBS will pay for credit monitoring. No word on HITECH penalties or lawsuits yet.
Healthcare providers are exposing private health information through the careless use of unsecured USB drives. It’s not just a problem in the United States. Last week the health department in Ontario’s Durham region lost a USB key containing data collected from 83,000 patients.
Like HIPAA regulations in the US, Ontario’s Personal Health Information Protection Act (PHIPA) requires healthcare providers “to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure”.
Two recent surveys show that the Healthcare industry still has a long way to go in complying with new HIPAA security requirements. The 2009 HIMSS Security Survey found that one third of respondents had at least one known case of medical identity theft, yet only 50% have a plan in place to respond to data breaches.
The City of Detroit admitted to two healthcare-related breaches this week.
In one incident, a thief broke into a vehicle of a health department employee in October, snatching a flash drive with information from birth certificates…
The employee had backed up information on her flash drive because information was being transferred between computers at work.
The data appears to have been unencrypted. The city has offered a year’s worth of credit monitoring to anyone who was affected.
Health Net Inc. announced this week that it lost a portable hard drive containing the patient data of 1.5 million customers. The data was not encrypted.
Connecticut Attorney General Richard Blumenthal said he was investigating the matter and why it took Health Net six months to report the healthcare breach.
“My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”
There have not been any cases of fraud linked to the incident, but Health Net will be picking up the tab for credit monitoring services for all impacted customers.
Pitt County Memorial hospital is paying credit monitoring after an employee lost a thumbdrive containing names and social security numbers.
From The Greenville Daily Reflector:
PCMH sent letters to the affected patients, offering one year of free credit monitoring and identity theft services through Debix Inc. It will include credit monitoring and insurance protection to any patient who becomes a victim of identity theft as a result of the incident.
The article does not mention what the total cost of the breach will be, but you can get an estimate here. There is also no mention of whether the device contained any protected health information (PHI) that would be covered by HIPAA. New disclosure laws recently took affect as part of the HITECH Act of 2009. If encryption is implemented on the storage device, notification is not required.
Dr. John Halamka, CIO of CareGroup Health System, shares his privacy and security lessons learned. Dr. Halamka serves as Vice-Chairman of the federal Health Information Technology Standards Committee.
The workgroup’s recommendations include:
All data at rest on mobile devices must be encrypted. Encrypting all databases and storage systems within an organization’s data center would create a burden. But ensuring that devices such as laptops and USB drives, which can be stolen, encrypt patient-identified data makes sense and is part of new regulations such as Massachusetts’ data protection law.
See the full article for Dr. Halamka’s top five security lessons.
Follow us on Twitter