Oregon’s Health CO-OP has notified every current and former member (approximately 15,000 individuals, according to SC Magazine) of a “potential privacy issue” in which “personal information may have been compromised”.
A laptop containing “member and dependent names, addresses, health plan and identification numbers, dates of birth and social security numbers” was stolen on April 3, but there is “no evidence” of the information being used.
A full statement can be found here >>
The Health Insurance Portability and Accountability Act (HIPAA)
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.
HIPAA covered entities concerned about data security should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
ISO 27001 provides a systematic framework for an organization to account for its information assets, assess security risks and implement effective controls to mitigate those risks. ISO 27001 is concerned with achieving an appropriate balance between the confidentiality, availability, and integrity of information, and is suitable for organizations of all sizes, sectors, and locations.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders. The security of mobile devices – such as laptops, tablets, and smartphones – is also best managed as part of an enterprise-wide ISMS.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.
By my reckoning, the total number of medical records breached in 2015 now stands at 123,288,786.