May has been a busy month for health care data breaches; now, following hot on the heels of last week’s HIPAA breach notification blog, here comes a second set of breaches.
If this is to be the pattern for the rest of the year, I’ll turn Health Care Breach Watch into a monthly round-up.
University of Rochester Medical Center 3,403 patients
The University of Rochester Medical Center (URMC) has notified 3,403 patients of its neurology department that a former employee took some patients’ personal information with her without permission when she left URMC for another practice. The information included “patient names, addresses, medical record numbers (these were internal URMC patient numbers), dates of birth, gender, diagnosis, and the date that patients were last seen by one of our health care providers. Please know that the list did not contain any treatment information, social security numbers, or insurance information.” URMC’s full letter can be found here >>
Bellevue Hospital Center – approximately 3,300 patients
The New York City Health and Hospitals Corporation (HHC) has notified approximately 3,300 Bellevue Hospital Center patients that an employee shared a spreadsheet containing their information with an unauthorized recipient. According to Bellevue, “there is no indication that the information… was ever improperly used”. Bellevue’s full letter can be found here >>
Jacobi Medical Center – 90,060 patients
During the same assessment that revealed the Bellevue breach (see above), HHC identified a separate incident, in which a former employee of the Jacobi Medical Center emailed the personal information of 90,060 patients to a personal email address. Patients have been informed by letter that the information included their “name, address, date of birth, telephone number, medical record number, treatment dates and types of services, limited sensitive health information, and your health insurance identification number, which may include your social security number”. Jacobi’s full letter can be found here >>
Medical Management LLC – number unknown
As I wrote last week, a former employee of medical billing company Medical Management LLC has been accused of copying “personal information from the billing system” for nearly two years and disclosing that information to a third party. 2,259 patients of the University of Pittsburgh Medical Center (UPMC) were known to have been affected.
Now it seems the Medical Management LLC breach goes much further than UPMC. HIPAA Journal reports that 40 different health care providers have been affected. Fifteen hospitals have so far announced that they have been notified that patient records were affected by the incident:
- Valley Hospital: Ridgewood, New Jersey
- Englewood Hospital and Medical Center, New Jersey
- Emergency Physicians of Englewood, New Jersey
- Holy Name Medical Center: Teaneck, New Jersey
- White Plains Hospital Center, New York
- Phelps Memorial Hospital Center, New York
- Emergency Physicians, New York
- Park Slope Emergency Physician Services, PC, New York
- The Brooklyn Hospital Center Emergency Medicine, PC, New York
- University of Pittsburgh Medical Center, Pennsylvania
- Conemaugh Memorial Medical Center
- Conemaugh Meyersdale Medical Center
- Conemaugh Miners Medical Center
- Emergency Physicians of Pittsburgh, Ltd.
- Tri-County Emergency Physicians, LLC, Illinois
The total number of breach victims is not yet known, but the reported number currently stands just shy of 10,000.
Beacon Health System – number unknown
Indiana-based Beacon Health System has notified an undisclosed number of patients that “it was the subject of a sophisticated phishing attack, and that unauthorized individuals gained access to Beacon employee email boxes, which contained the personal and protected health information of some individuals, including patients.” Information included “Social Security number, date of birth, driver’s license number, diagnosis, date of service, and treatment and other medical record information”.
Beacon’s full letter can be found here >>
The Health Insurance Portability and Accountability Act (HIPAA)
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.
A Vormetric study found that “26 percent of healthcare respondents reported that their organization had previously experienced a data breach” and a recent Ponemon Institute report found that criminal attacks are the most common cause of health care data breaches. “Criminal attacks on healthcare organizations are up 125% compared to five years ago”, Ponemon notes, and “45% of [breached] healthcare organizations say the root cause of the data breach was a criminal attack”.
HIPAA covered entities that are concerned about data security should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.