Sadly, I’m beginning to think I need to make health care data breach updates a regular occurrence. Last week, it was Premera Blue Cross (11 million affected customers), LifeWise (150,000 customers), and Advantage Dental (151,626 customers). Before that, Anthem (88.8 million customers and 8.8 million non-customers), Lone Star Circle of Care (8,700 customers), UMass Memorial Medical Group (14,000 customers), California Pacific Medical Center (844 customers), St Peter’s Health Partners (5,117 customers), the US Postal Service (1,235,000 employees and 2.9 million customers), and TRH Health Plan (80,000 customers).
This week, there are two more to tell you about: St Mary’s Health in Indiana, and Sacred Heart Health System in Florida, both of which admit to being hit by “e-mail hacking”.
In total, another 18,400 customers’ records have been compromised. Affected information includes names, dates of birth, genders, dates of service, insurance information, health information including diagnoses and procedures, Social Security numbers, billing account numbers, and physicians’ records.
These incidents bring 2015’s running total of affected individuals to 123,163,687.
It seems I spoke too soon. Louisiana-based Amedisys has lost 142 laptops, and as a result has notified 6,909 individuals that their personal information – including “name, address, Social Security number, date of birth, insurance ID numbers, medical records and other personally identifiable data” – may have been compromised.
An official statement can be found here.
This breach now brings 2015’s running total of individuals affected by health care breaches to 123,170,596.
And it’s not even April yet.
The Health Insurance Portability and Accountability Act (HIPAA)
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.
HIPAA covered entities concerned about data security should implement an information security management system (ISMS), as specified by international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Civil monetary penalties (CMPs) for HIPAA violations, however, can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.