Healthcare is now the top industry for cyber attacks. Health records, much of which remain valid and exploitable for years, contain valuable information for hackers. Credit card data, email addresses, social security numbers, employment information and medical history records can be used in many instances of fraud or identity theft.
But healthcare data breaches are often not the result of hacking.
Privacy breaches happen for a variety of reasons and under many different circumstances. On one end, an organization may be ignorant of its security technology and lack accountability when it comes to patient privacy; on the other end, a password-protected laptop may be stolen or an unencrypted thumb drive may be lost, even if the organization had the necessary precautions in place.
The average global cost of data breach per every lost or stolen record is $158. Healthcare organizations, however, had an average cost of $355 per record, according to the new survey conducted by the Ponemon Institute. This includes the direct costs – dollars spent to minimize the consequences of a data breach and to assist victims and indirect costs defined as the amount spent on existing internal resources to deal with the data breach. A recent article in Health IT Security outlined five healthcare data breaches that occurred in 2015 that were not caused by hacking. Instead, theft, loss, improper disposal, and unauthorized email access or disclosure has caused the largest incidents.
#1 Medical records found on a Florida street
Radiology Regional Center in Florida notified patients of a possible healthcare data breach after some paper records were found on a street. Roughly 483,063 individuals were potentially affected.
Radiology explained in a statement that “a small quantity of records” fell onto the street while being transported by Lee County Solid Waste Division, which is responsible for the disposal of Radiology patient records.
Patient names, addresses, phone numbers, Social Security numbers, dates of birth, health insurance numbers, other medical status and assessment information as well as some financial information may have been exposed.
#2 Missing laptop creates Premier Healthcare data security incident
Indiana-based Premier Healthcare, LLC reported that a laptop was stolen from its billing department. The device went missing but was returned to Premier a few months later. Moreover, Premier determined through forensic analysis that the laptop had not been turned on since it went missing. Approximately 205,000 individuals were possibly affected, according to a report by an information security consulting firm that specializes in digital forensics and incident response.
#3 Patient records found in dumpster
Community Mercy Health Partners (CMHP) reported that patient records were found in a dumpster. It was later concluded that one of its vendors had disposed of lab records by placing them in the dumpster. Patients’ names, physicians’ names, accession numbers, types of study, guarantor information, health insurance information, diagnoses, and other clinical information may have been exposed, according to CMHP. Social Security numbers and driver’s license numbers may also have been included in some instances. It’s estimated that 113,528 individuals were impacted.
#4 Washington State facility breach affects 91,000 patients
Just over 91,000 individuals were affected by a potential healthcare data breach at the Washington State Health Care Authority (HCA). HCA reported that one of its employees had mishandled patient information from Apple Health (Medicaid), a provider of free healthcare for low-income individuals. Two HCA employees allegedly improperly exchanged patient information from Apple Health when one of the employees was helping the other with a spreadsheet problem. However, both employees state that the information was not used for additional purposes.
“While we have no indication that the client files went beyond the two individuals involved, important privacy laws were violated and we are exercising caution and due diligence given the nature of the information,” explained an HCA spokesperson.
#5 Laptop theft affecting 52,000 individuals in Kansas
Kansas-based Valley Hope Association recently reported that a work-issued laptop was stolen from an employee’s car. While Valley Hope did not state how many individuals were affected by the security breach, the OCR data breach tool lists 52,076 individuals as possibly being affected. The theft was immediately reported, according to Valley Hope, and the non-profit explained that it launched an investigation once it was made aware of the incident.
“We also disabled the laptop’s network connection capabilities, disabled the employee’s access credentials, and confirmed that our network systems were not accessed by the laptop since the employee’s last valid access before the laptop was stolen,” Valley Hope explained in its statement.
Patient names paired with one or more personal identifiers may have been exposed. These include Social Security numbers, dates of birth, addresses, phone numbers, state identification or driver’s license numbers, physician name, treatment and treatment location, diagnoses, medical record numbers, disability codes, usernames and passwords, tax identification numbers, patient account information, health insurance information, financial information, and medical information.
So what can healthcare entities — large and small — do to minimize the risk of compromising patient data? An article, published in the New England Journal of Medicine, outlines the types of safeguards healthcare providers can use to protect patient information.
- Confidential patient care, private examination and consultation rooms, attention to eavesdropping risks
- Document storage — Secure-access filing for medical records and bills, controlled prescription pads
- Document disposal and destruction — shredding
- Safe hardware disposal — erasing hard drives from rented photocopiers and proper disposal of used computers
- User Authentication – passwords, automatic logouts and biometric information
- Systems protections – firewalls, anti-virus programming and active audit trails
- Safe hardware disposal – erasing hard drives from rented photocopiers and proper disposal of used computers
- Careful hiring practices – being vigilant about vetting potential hires, including the use of background checks
- Training and education – education about individually identifiable information, appropriate information sharing and protocols for screening information seekers
- Termination and separation protocols – timely deactivation of electronic and physical access