I blogged a couple weeks ago about a flurry of healthcare data breaches that have been reported so far this year. It seems there’s another one to add to the list.
About 8,700 individuals, including 6,300 patients, have been notified that their personal information – including names, addresses, phone numbers, and birth dates – was publicly available on the Lone Star Circle of Care website for almost half a year, and was accessed numerous times by “unauthorized individuals”.
According to the Austin-American Statesman, Lone Star is “a nonprofit that cares for nearly 80,000 Central Texans, most of whom are low-income or uninsured.”
Lone Star CEO Rhonda Mundhenk said that the company that designed and maintained the website was to blame, and that its contract had been terminated.
“We take the situation very seriously,” she told the Statesman. “We want to give our patients some peace of mind to let our patients know it involved no financial information”. Patients, job seekers, and others who are concerned about their personal information can call 866-898-5161 for assistance.
As a health care provider, Lone Star is bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.
HIPAA covered entities that are concerned about data security should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per violated record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.