A security breach exposing the data of over 1,200 patients has recently been disclosed by the University of Miami. The Miller School of Medicine patient data was stolen back in November 2011, together with a flash drive, when someone broke into a pathologist’s car and took the briefcase where the portable device was stored.
The flash drive contained details such as age, sex, diagnosis and treatment information for patients treated from 2005 to 2011, the University of Miami disclosed in a press release. No financial information or Social Security numbers had been stored on the drive, according to the same press release. Read more
Based on the many stories about data breaches reported by organizations in the healthcare industry, from hospitals to insurance companies and other third-party companies that deal with healthcare data, we could have guessed this is not even close to being a top sector when it comes to data security. A new report released by the Ponemon Institute now brings even further insight into the state of the healthcare industry, showing a spike in data breaches of over 30% and average annual costs of 6.5 billion US dollars.
The “2011 Benchmark Study on Patient Privacy and Data Security,” commissioned by IDExperts, idendified employee error to be one of the main cause for data breaches in hospitals and healthcare providers. These types of organizations in the healthcare industry suffered an average of four data breaches in the past year. Nearly 30 percent of healthcare companies said the breaches they suffered resulted in medical identity theft – an over 25 percent increase over 2010. Read more
Hospitals, healthcare services providers, health insurance companies, all those operating in the healthcare segment seem to be particularly vulnerable to data breaches. Their patients and employees’ private details seem to be a frequent target for theft and easy to lose. It seems like this entire industry segment has no idea how to keep their data safe or how to properly dispose of it.
To recent incidents highlight this serious security issue affecting healthcare players. The first incident occurred at Texas Health Partners and Texas Health Flower Mound Hospital. A laptop was stolen from an employee of Texas Health Partners and it happened to contain private details about hospital patients. While the information was not encrypted, the laptop was at least password protected. The stolen notebook contained various details on patients, including name, addresses, medical history and lab test information. The number of affected patients has not yet been disclosed. Read more
An employee of the California Department of Health thought it would be a great idea to access and copy to a portable drive personal information belonging to 9,000 former and current state employees. The security breach discovered within the department involved names, dates of birth, and addresses stored in compensation records of the affected parties.
The California Department of Health is currently running an investigation on the scope and extent of the breach. In the mean time, the person responsible for the unauthorized removal of personal records from the institution is on administrative leave, answering all the questions needed to understand the incident. Read more
A data and privacy breach comprising more than 33,000 patient records, of patients housed at he Martin Luther King, Jr. Multi-Service Ambulatory Care Center (MLK-MACC) in South Los Angeles has been reported by the he Los Angeles County Department of Health Services (DHS) and the Los Angeles County Sheriff’s Department (LASD) and restulted in a suspect being arrested.
The files in question, which have been stored in a secured and locked location have been reported missing on July 29. An immediate search of MLK-MACC campus has been launched for the missing files. Read more
The data breach rules that become effective on September 23rd have been harshly criticized by a security firm specializing in encryption. According to the Health Information Technology for Economic and Clinical Health (HITECH) Act, US health organization using encryption will no longer be required to notify their clients of data breaches, regardless of how ineffective the encryption system is.
According to the act, only healthcare providers and plans that have implemented the HIPAA standards but fail to encrypt the sensitive data they keep on their clients will have to let individuals know their private details have been breached. Even in such a case, explains The Register, it will be up to each organization to decide if there is a real risk for those affected and only afterward issue data breach notices.
“The protection law should address everyone – including those who have already implemented encryption, since most encryption systems are point-to-point even when they say otherwise,” said Mark Bower, director of information protection solutions at Voltage Security.
In its present form, the HITECH Act provides a quick and often inefficient fix to make ammends with data security rules.