The California Dept of Public Health has fined five hospitals for failing to prevent unauthorized access to patient’s medical information.
CDPH assessed the penalties under new California legislation intended to protect the confidentiality of medical records. Under the law, an administrative penalty of $25,000 may be assessed against a medical facility for the breach of each patient’s medical information. A penalty of up to $17,500 is added for each subsequent breach of each patient’s medical information.
Penalties are also increasing at the Federal level thanks to last year’s HITECH Act. Enforcement of the new legislation started earlier this year.
Data Security
Two hospitals in Kentucky have been forced to notify the public of data breaches under the new HITECH legislation. Both breaches involved the loss of unencrypted portable drives. According to the story in Health Data Management, one flash drive contained protected health information for 24,600 individuals admitted to the hospital since 2002.
The HITECH Act is changing the way that healthcare providers think about data security. Small devices can store massive amounts of data and should be considered high risk if they are not properly secured.
Data Security, Healthcare, Portable Storage
Connecticut AG Richard Blumenthal is suing health provider Health Net over a lost external hard drive that contained sensitive information for 1.5 million past and present customers. Under the new HITECH legislation passed last year, states can obtain statutory damages in the event of a HIPAA security breach. The hard drive was not encrypted.
In a related story, BCBS of Tennessee just notified the public about a data breach affecting 500,000 customers. 57 unencrypted hard drives have gone missing. The drives contained names, birth dates, social security numbers, and diagnostic healthcare information. BCBS will pay for credit monitoring. No word on HITECH penalties or lawsuits yet.
Data Security, Healthcare, Portable Storage
Healthcare providers are exposing private health information through the careless use of unsecured USB drives. It’s not just a problem in the United States. Last week the health department in Ontario’s Durham region lost a USB key containing data collected from 83,000 patients.
Like HIPAA regulations in the US, Ontario’s Personal Health Information Protection Act (PHIPA) requires healthcare providers “to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure”.
Data Security, Healthcare
Two recent surveys show that the Healthcare industry still has a long way to go in complying with new HIPAA security requirements. The 2009 HIMSS Security Survey found that one third of respondents had at least one known case of medical identity theft, yet only 50% have a plan in place to respond to data breaches.
The City of Detroit admitted to two healthcare-related breaches this week.
In one incident, a thief broke into a vehicle of a health department employee in October, snatching a flash drive with information from birth certificates…
The employee had backed up information on her flash drive because information was being transferred between computers at work.
The data appears to have been unencrypted. The city has offered a year’s worth of credit monitoring to anyone who was affected.
Data Security, Healthcare, Portable Storage
Health Net Inc. announced this week that it lost a portable hard drive containing the patient data of 1.5 million customers. The data was not encrypted.
Connecticut Attorney General Richard Blumenthal said he was investigating the matter and why it took Health Net six months to report the healthcare breach.
“My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”
There have not been any cases of fraud linked to the incident, but Health Net will be picking up the tab for credit monitoring services for all impacted customers.
Data Security, Healthcare
A recent report from ICSA Labs and Verizon Business found that a majority of security products failed to perform when first tested by independent labs. Most products “require two or more cycles of testing before achieving certification”, showing that users should be skeptical of claims made by vendors unless they are backed up by independent testing.
Rounding out the top three is the startling finding that 44 percent of security products had inherent security problems. Security testing issues range from vulnerabilities that compromise the confidentiality or integrity of the system to random behavior that affects product availability. Even though it can be a demanding process, certification with a trusted, established third party is critical to verifying product quality, states the report.
The industry standard for encryption products is the FIPS 140-2 certification given jointly by the US Government (NIST) and the Canadian Government (CSEC). This process requires vulnerability testing by a third-party lab followed by Government review. FIPS 140-2 ensures that encryption products do what they say they do, and is the recommended security level for HIPAA and other regulations. Click here for more info on the cryptographic module validation program (CMVP).
Data Security, Malware
Pitt County Memorial hospital is paying credit monitoring after an employee lost a thumbdrive containing names and social security numbers.
From The Greenville Daily Reflector:
PCMH sent letters to the affected patients, offering one year of free credit monitoring and identity theft services through Debix Inc. It will include credit monitoring and insurance protection to any patient who becomes a victim of identity theft as a result of the incident.
The article does not mention what the total cost of the breach will be, but you can get an estimate here. There is also no mention of whether the device contained any protected health information (PHI) that would be covered by HIPAA. New disclosure laws recently took affect as part of the HITECH Act of 2009. If encryption is implemented on the storage device, notification is not required.
Data Security, Healthcare
The new interim HIPAA Rules concerning Health IT data security take effect today, Sept 23rd. The new HIPAA rules cover any unauthorized access or disclosure of “unsecured” PHI (Protected Health Information).
The new rules are intended to ensure patient confidentiality, but there is some controversy over the “harm threshold” provision.
Congress intended for the federal rule to incentivize proactive data protection measures, such as encryption. For example, if the data involved in a breach is rendered unusable by encryption, companies do not have to issue breach notifications, the interim final rule states.
However, privacy groups are dismayed that a provision of the rule would allow Healthcare entities to opt-out of notification requirements under certain circumstances.
Data Security, Government, Healthcare
The insurance company Darwin has created a nice tool for calculating the cost of a data breach based on the number of records exposed.
Tech 404 – Data Breach Calculator
Using last month’s incident at Naval Hospital Pensacola as an example, a hospital covered by HIPAA that exposes 38,000 records may be looking at a total data breach cost of around $6 Million. Encryption technology for laptops, thumbdrives and other portable devices seems like a bargain in comparison.
Data Security, Healthcare, Portable Storage
Follow us on Twitter