More patient records were exposed in the first half of 2015 than in the whole of 2012, 2013 and 2014 combined, and it seems that things are looking no better for PHI as we enter the second half of the year.
Curiously, a large proportion of this month’s incidents stem from patient information being sent to the wrong recipient.
Integral Quality Care – undisclosed number
Integral Quality Care (IQC) sent breach notification letters to some of its Integral Health Plan (IHP) members on July 6, informing them of a “processing mistake” in which payments were sent to doctors with incorrect patient information. This information included “name, date of birth, Florida Medicaid Identification number, diagnosis code(s), procedure code(s) and payment. The payment notice did not include [the victims’] social security number, financial information, or address.”
IQC’s notification letter to patients can be read here >>
UCLA Health System – up to 4.5 million patients
The University of California, Los Angeles Health System (UCLA) has reported that an attacker “accessed parts of the UCLA Health network that contain personal information, like name, address, date of birth, social security number, medical record number, Medicare or health plan ID number, and some medical information (e.g., medical condition, medications, procedures, and test results).” 4.5 million individuals were potentially affected.
UCLA Health’s notification to patients can be read here >>
Arkansas Blue Cross and Blue Shield – 560 patients
Arkansas Blue Cross and Blue Shield (ABCBS) has informed patients of the theft of two computers from Treat Insurance Agency, “an insurance broker that solicits and submits applications for health insurance coverage to insurers”. The computers stored information relating to 560 ABCBS applicants and members, including “name, street address, telephone number, email address, date of birth and Social Security number. Depending on the type of application that was submitted, the stolen information may also include driver’s license number, Medicare claim number, bank account draft information, and certain medical history that may have been provided in connection with the application.”
ABCBS’ HITECH substitute notice can be found here >>
Meanwhile, the Blue Cross Blue Shield Association (BCBSA) has offered free identity theft services to all 106 million members following a series of high-profile PHI breaches, including the massive incidents at Anthem and Premera Blue Cross.
University of Pittsburgh Medical Center Health Plan – 722 patients
UPMC Health Plan has notified 722 patients of a data breach that occurred when “a data file intended for a primary care physician (PCP) office was emailed to an incorrect email address.” Disclosed personal information included names, phone numbers, member ID numbers, dates of birth, PCP office names, and insurance plan types. Social Security numbers were not disclosed. “The recipient of the email was contacted and advised to delete the email and destroy the attached data file. Health Plan staff have been re-educated on policies related to electronic communications and the staff member who made the error has been disciplined.”
UPMC’s letter to patients can be read here >>
UPMC is no stranger to data breaches. In May, 2,259 UPMC patients were notified that their information had been disclosed to a third party, and last year criminal hackers stole a database containing the personal information of all 62,000 UPMC employees.
Howard University Hospital – 1,145 patients
The Washington Post reports that Howard University Hospital in Washington, DC, has disclosed a mailing error, in which 1,145 patients “accidentally received letters intended for other patients with the same last names”. The letters contained patients’ names, account numbers, and the dates they visited Howard University doctors. No other information was disclosed.
Ohio University Hospital Elyria Medical Center – 297 patients
The Chronicle-Telegram reports that the medical records of 297 Elyria Medical Center patients were “inappropriately accessed” by a former hospital employee. Information included “names, dates of birth, medical record numbers, dates of service and diagnostic and treatment information”. Some patients’ addresses, telephone numbers, and health insurer names were also accessed. No Social Security numbers or financial information were affected. A spokeswoman for the hospital said, “We did not identify any purpose for the activity. It appears the employee was snooping out of curiosity.”
Those affected have been notified.
University of California San Francisco (UCSF) – 435 patients
The theft of a laptop from the office of a faculty member in the Cardiac Electrophysiology & Arrhythmia Service at the University of California San Francisco resulted in the loss of “some personal, research and health information” relating to 435 individuals. This information “may have included individuals’ names, dates of birth, medical record numbers, and health insurance ID numbers… No Social Security numbers were identified”.
Those affected have been notified. More information is available here >>
Orlando Health – 3,200 patients
Orlando Health has announced that a nursing assistant was found to be “accessing patient records outside their current job responsibilities […] The employee accessed patients’ electronic medical record which may have included patients’ names, dates of birth, addresses, medications, medical tests and results, other clinical information, and the last four digits of social security numbers. In a limited number of patients, the employee may have also accessed insurance information. Based upon our investigation, the employee was terminated by Orlando Health.”
Orlando Health’s substitute notice can be found here >>
Orlando Health has experience of data breach incidents. In May this year the personal information of 68 Orlando Health patients was found in a driveway, last year the hospital lost a flash drive containing the information of 586 children treated at the Arnold Palmer Medical Center, and in 2011 it fired three employees for inappropriately accessing patient information.
Massachusetts General Hospital – 648 patients
An employee of Massachusetts General Hospital (MGH) “inadvertently sent an email, which included some patient information, to an incorrect email address.” 648 patients have been notified that their “names, lab results, and, in some instances, Social Security numbers” were affected. Insurance policy numbers and financial information “were not included in the email.”
MGH’s notification to the New Hampshire Attorney General can be found here >>
The Health Insurance Portability and Accountability Act (HIPAA)
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.
A Vormetric study found that “26 percent of healthcare respondents reported that their organization had previously experienced a data breach”, and a recent Ponemon Institute report found that criminal attacks are the most common cause of health care data breaches. “Criminal attacks on healthcare organizations are up 125% compared to five years ago”, Ponemon notes, and “45% of [breached] healthcare organizations say the root cause of the data breach was a criminal attack”.
HIPAA covered entities that are concerned about data security should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.