Health Care Breach Watch: Saint Agnes Health Care, Inc.

123 million health care records breached so far this yearFollowing yesterday’s news that Seton Family of Hospitals in Texas suffered a data breach as the result of an email phishing attack comes information about Baltimore-based Saint Agnes Health Care, Inc., which recently informed 25,000 individuals that its employees had also fallen victim to an email phishing attack:

“Through a fraudulent e-mail communication, sophisticated hackers gained access to protected health information contained in an employee e-mail account.  The incident resulted in certain patient protected information being compromised, which included one or more of the following items: name, date of birth, gender, medical record number, insurance information, limited clinical information and, in four cases, social security numbers.”

Saint Agnes’ official statement can be found here.

Total medical records breached in 2015

According to my calculations, the tally of health care records affected by data breaches disclosed in 2015 now stands at 123,273,786.


Phishing attacks, in which unsuspecting users are tricked into downloading malware or handing over personal and business information, are becoming increasingly common. They usually take the form of email links to malicious websites masquerading as legitimate ones. All organizations should ensure that their staff are properly trained to recognize phishing scams and exercise caution when clicking links in unsolicited messages.

IT Governance’s Employee Phishing Vulnerability Assessment will identify potential vulnerabilities among your employees and provide recommendations to improve your security, giving you a broad understanding of how you are at risk and what you need to do to address these risks.

Click for more information >>

The Health Insurance Portability and Accountability Act (HIPAA)

Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.

ISO 27001

HIPAA covered entities that are concerned about data security should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.

By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.

It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.

IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.

Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.

Click for more information >>

ISO 27001 Packaged Solutions

For more information on 2015’s other health care information breaches, click here, here, here, and here. And if you know of an incident that I’ve missed, do let me know.