Data breaches that expose confidential medical data are costing healthcare providers $6 Billion a year. SC Magazine reports on a new study by the Ponemon Institute and the results are not good.
The top three causes of breaches were unintentional employee action, lost or stolen computing devices and third-party accidents. The average number of lost or stolen records per breach was 1,769.
The survey found that breaches have cost the U.S. health care system $12 billion over the past two years. The economic impact of a data breach was approximately $2 million per organization over a two-year period.
Expect the number of records per breach to increase as portable devices continue to grow in capacity and shrink in price. Employees may have good intentions when they take the entire database home with them, but data breaches often result when a car is broken into or a thumb drive slips out the pocket. Healthcare organizations need a policy for securing USB devices and it needs to be enforced automatically.
Data Security, Healthcare, Portable Storage
A USB stick found outside a Manchester Police station was recently handed over to the news media. eWeek has a summary of the story and the Daily Star has a picture of the device, which contained information on counter-terrorism tactics and a list of police personnel. The device was not encrypted and the person who found the stick was able to plug it in and view its contents.
The incident highlights two major security concerns. The first is that users often fail to protect sensitive information if there is not an enforcement mechanism like self-encrypting hardware. The second is that people who find flash drives on the ground instinctively plug them in without considering the risk of malware. Studies have found this to be an easy attack vector for gaining access to corporate networks.
Data Security, Portable Storage
Tim Wilson at Dark Reading reports on two more data breaches involving lost storage devices:
Online attacks might be getting more sophisticated every day, but two incidents last week are reminding the industry that the loss of physical storage media is still among the most common causes of data breaches.
The term “free credit monitoring” appears in many articles like this one. It should be emphasized that the services will be free to the victims, but will be quite expensive for Care 1st.
Data Security, Portable Storage
Do your users take USB Flash Drive home with them? Are those drives encrypted? If not, they are taking a big risk when they get in the car.
Unsecured USB Drives are a big problem because:
A) Flash Drives get stolen from cars
B) Flash Drives tend to fall out of pockets in parking lots
These incidents are embarrasing and potentially expensive. Data breaches are increasingly subject to fines and penalties at the state and national level throughout North America and Europe.
Data Security, Portable Storage
Connecticut AG Richard Blumenthal is suing health provider Health Net over a lost external hard drive that contained sensitive information for 1.5 million past and present customers. Under the new HITECH legislation passed last year, states can obtain statutory damages in the event of a HIPAA security breach. The hard drive was not encrypted.
In a related story, BCBS of Tennessee just notified the public about a data breach affecting 500,000 customers. 57 unencrypted hard drives have gone missing. The drives contained names, birth dates, social security numbers, and diagnostic healthcare information. BCBS will pay for credit monitoring. No word on HITECH penalties or lawsuits yet.
Data Security, Healthcare, Portable Storage
In the last two years, 1,057,560 Massachusetts residents have been affected by reported data breach incidents according to a report released by the Commonwealth (PDF).
A new Massachusetts law, set to go into effect on March 1, 2010, will require that “personal information” stored on laptops and other portable devices must be encrypted. Personal information is defined under the law as, “a resident’s first and last name, or first initial and last name, in combination with any one or more of the resident’s: (a) social security number; (b) driver’s license number or state issued ID number, or (c) financial account number, or credit or debit card number…”
It is believed that with the new Data Breach Law,
the incidence of security breaches caused by unintentional but careless practices will decrease, as will the potential damage to residents whose information is gathered by unauthorized persons, since their information will be guarded by more robust protections, including encryption of information.
Data Security
Despite having readily available solutions, our public institutions continue to expose personal data by losing unprotected USB flash drives.
This week the culprit is Roane State Community College, who let an employee copy names and social security numbers to an unencrypted 4GB USB stick. The drive was promptly stolen from an unlocked car and the College will be paying for credit monitoring for 15,977 current and former students and employees.
Data Security, Portable Storage
The insurance company Darwin has created a nice tool for calculating the cost of a data breach based on the number of records exposed.
Tech 404 - Data Breach Calculator
Using last month’s incident at Naval Hospital Pensacola as an example, a hospital covered by HIPAA that exposes 38,000 records may be looking at a total data breach cost of around $6 Million. Encryption technology for laptops, thumbdrives and other portable devices seems like a bargain in comparison.
Data Security, Healthcare, Portable Storage
HSBC has been fined over £3 million ($5 million) for data security procedures that fail to meet Financial Services Authority (FSA) requirements.
The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders - also in the post.
Costly data breaches can be avoided by remotely managing portable data. Not only is the data encrypted, but the device can be programmed to remotely delete the next time it is plugged in. The company has a log file to show the date, time and location where the data was destroyed.
Data Security, Financial, Portable Storage
The local FOX newscast has the gory details (w/ video).
Canyons School District is investigating the loss of a USB flash drive containing sensitive information about employees and possibly former employees of the district. The information on the drive included addresses, phone numbers, Social Security numbers and dates of birth.
While there are no signs of foul play, all employees have been advised to monitor their credit. This could have been prevented by taking simple steps to protect sensitive data. You may not be carrying around missile secrets, but most organizations store the type of information that can be used for fraud.
Data Security, Portable Storage
Follow us on Twitter