A recent survey conducted by the University of Phoenix School of Health Services Administration found that more than 75% of US adults are concerned about the security of their health care data. This is hardly surprising: Even discounting the 78.8 million customers affected by the Anthem data breach at the beginning of the year, the number of medical records compromised by data breaches so far in 2015 already far exceeds last year’s total.
And still the breaches keep coming. Here’s a run-down of October’s incidents. This month, the theme seems to have been stolen laptops and mailing mistakes.
Blue Cross and Blue Shield of North Carolina (BCBSNC) – 2,337 members
In two separate incidents, Blue Cross and Blue Shield of North Carolina members’ information was disclosed by printing errors.
In the first, members’ invoice information – including names, addresses, internal BCBSNC account numbers, group numbers, coverage dates, and due premium amounts – was printed on the backs of other members’ invoices by mistake.
In the second, members received payment letters that included other members’ information, such as “health plan purchased, effective date, health insurance marketplace identification number, payment amount, telephone number and payment identification number”.
A total of 2,337 members were affected. BCBSNC’s breach notice can be read here >>
Affinity Health Plan – 721 members
A similar incident affected Affinity Health Plan. Affinity sent appointment reminders to 721 members in August, telling them to make an appointment “to complete a Child Health Plus renewal application”. Owing to a printing error, the reverse of the letters contained different patient information, including other children’s names, unique Affinity member identification numbers, and addresses. No medical or health information was disclosed. A copy of Affinity’s notification letter can be read here >>
Barrington Orthopedic Specialists – 1,009 patients
A laptop and EMG machine were stolen from a vehicle belonging to Barrington Orthopedic Specialists between August 14 and 18, potentially exposing the names, dates of birth, and EMG results and reports pertaining to 1,009 patients. Barrington’s substitute notice can be found here >>
Sentara Heart Hospital – 1,040 patients
Two encrypted hard drives containing backups of electronic patient notes – including patient names, unique medical record numbers, dates of birth, procedure dates, diagnoses, procedures, surgeon and staff names, allergies, notes, and medications relating to procedures performed – were stolen. A copy of the letter sent to affected patients can be read here >>
OU Health/Envision Rx – 540 health plan members
Thanks to another mailing error, 540 health plan members received letters containing other members’ claim information, including “first and last name, date of service, name of drug and dosage, cost of prescription, member [copy], and Plan paid amount. The information did not include the other member’s demographic, financial information or Social Security Numbers.” An update from OU Health can be read here >>
Emergence Health Network – 11,100 patients
In August, Emergence Heath Network – the local mental health authority for El Paso County – discovered a data breach dating back to 2012, potentially compromising patients’ first and last names, their addresses, dates of birth, Social Security numbers and case numbers, and information relating to the services they used. No medical records were held on the affected server. A copy of Emergence’s letter to patients can be read here >>
University of Oklahoma College of Medicine Department of Urology – 9,300 patients
A laptop that “may have included limited patient information […] such as patient name, diagnosis and treatment codes and dates (most between 1996-2006), date of birth or age, a brief description of a urologic medical treatment or procedure, medical record number, and the treating physician’s name” was stolen from a former employee of the University of Oklahoma Department of Urology in August. A copy of the notice to potentially affected patients can be read here >>
CarePlus Health Plans – approximately 1,400 patients
WTSP reports that an “error while processing statements might have led to a breach of personal information for clients of CarePlus Health Plans.” Approximately 1,400 members’ names, addresses, and CarePlus identification numbers were sent to other recipients when a “machine was programmed to insert two premium statements per envelope — instead of just one”, resulting in “some statements being sent to the wrong member.”
Humana – 2,800 members
Wisconsin health insurance company Humana has reported the theft of an encrypted laptop containing information pertaining to approximately 2,800 Medicare Advantage members along with hard-copy files – which included the names, dates of birth, and clinic names of about 250 of those members – from an employee’s vehicle. WISN has more information >>
New York City Health and Hospitals Corporation (HHC) – Woodhull Medical and Mental Health Center – 1,581 patients
A laptop containing 1,581 patients’ “medical record number, test results and narrative physician summary” was stolen from a patient examination room at the Woodhull Medical and Mental Health Center. A copy of Woodhull Medical Center’s letter to patients can be read here >>
Nephropathology Associates – 1,260 patients
Information including patients’ “first and last name, patient age at the time of treatment, Nephropath accession number, referring physician, and pathology diagnosis” was “inadvertently transmitted […] to a vendor via unsecured e-mail.” The vendor was informed and instructed to destroy the information. A copy of Nephropath’s letter to patients can be read here >>
North Carolina Department of Health and Human Services – 1,615 patients
A North Carolina DHHS employee inadvertently sent an unencrypted email to the Granville County Health Department. “Attached to the email was a spreadsheet containing information relating to individual Medicaid recipients. The information in the email included the individual’s first and last name, Medicaid identification number (MID), provider name and provider ID number, and other information related to Medicaid services.” A copy of North Carolina DHHS’s notification can be read here >>
Baptist Health and Arkansas Health Group – 6,500
Two former employees of Baptist Health and Arkansas Health Group downloaded patient information without permission, which they took to their new practice, Bray Family Health. They then used the information to contact patients about Bray Family Health. Information included “patient names, addresses, telephone numbers, dates of birth, gender, race, ethnicity, rendering provider, referring provider, and the date that patients were last seen by one of our health care providers”. A copy of Baptist Health’s patient notification letter can be read here >>
Johns Hopkins Medicine – 571 patients; 267 research subjects
An unencrypted laptop containing “limited information about 571 patients with cancer seen at The Johns Hopkins Hospital between 2006 and 2014 and about 267 people who participated in a research study on a rare genetic disorder between 2008 and 2015” was stolen from a Johns Hopkins physician at an airport. Patient data “was limited to the patient names, the dates seen at The Johns Hopkins Hospital, the names of patients’ physicians, one- to three-word diagnoses and medical record numbers—but not their contents—of the patients with cancer. For study participants, the information included patient names, study identification numbers and, for subsets, dates of birth, addresses, referring physicians’ names and comments on the disorder stated in technical terms.”
A statement from Johns Hopkins can be read here >>
Aspire Home Care and Hospice – 4,278 patients
Aspire Home Care and Hospice (formerly Indian Territory Home Health and Hospice) suffered a cyber attack in late July/early August resulting in the compromise of 4,278 patients’ protected health care information, “such as patients’ names, dates of birth, addresses, telephone numbers, Social Security numbers, insurance information, prescription information, patient identification/medical record numbers and certain medical/clinical information.” Aspire’s substitute notice can be read here >>
The Health Insurance Portability and Accountability Act (HIPAA)
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities. HIPAA covered entities that are concerned about data security would do well to implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.