'Wall of Shame' exposes 21M medical record breaches
Notification, reporting part of new rules under the Health Information Technology for Economic and Clinical Health Act
Computerworld - Over the past three years, about 21 million patients have had their medical records exposed in data security breaches that were big enough to require they be reported to the federal government.
Since Sept. 2009, 477 breaches affecting 500 people or more each have been reported to the Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services. In total, the health records of 20,970,222 people have been compromised, the OCR said.
The Office for Civil Rights has been updating a list of the breaches on its website. The list is known to the health care industry as "The Wall of Shame," according to the OCR.
Six health care organizations listed on The Wall of Shame reported security breaches that involved one million or more records.
Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing. TRICARE, formerly known as Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), provides civilian health benefits for military personnel, military retirees, and their dependents.
Other major breaches included: Health Net, which reported 1.9 million records lost when hard drives went missing; the New York City Health & Hospitals Corporation's North Bronx Healthcare Network, which reported the theft of 1.7 million electronic medical records; AvMed Health Plans in Florida, which reported the theft of a laptop with 1.22 million patient records; and Blue Cross Blue Shield of Tennessee, which reported the theft of an external hard drive with 1.02 million records.
WellPoint, the largest managed health care company in the Blue Cross and Blue Shield Association, also reported 31,700 of its customer records were compromised during the three-year time period. WellPoint's breach occurred via a hack to a network server, according to the report.
The Nemours Foundation, a health care organization that runs children's hospitals, also reported the loss of 1.05 million records when data backup tapes were lost.
The breach notification and reporting is part of new rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. The rules not only require the public reporting of breaches but also increased penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA), which requires organizations to safeguard patient information.
About 55,000 breach reports involving fewer than 500 records where also reported to the OCR from 2009, according to Rachel Seeger, a senior health information privacy specialist with OCR.
Theft made up 54% of the breaches, while hacking made up only 6% of the compromised data. Theft was followed by unauthorized access or disclosure for 20%, lost records and devices for 11%, improper disposal of records made up 5% and other/unknown categories made up 4%.
"By far ... theft is the number one type of breach we're seeing," Seeger said. "We've really seen this as a commentary on crime in America where the thieves are not after the information in the laptop, but they're after the laptop."
"Most of the portable devices are being stolen out of cars or otherwise being lost. Many of these laptops are lost by an employee while in transit on public transportation," Seeger added.
- NSA defends collecting data from U.S. residents not suspected of terrorist activities
- Groups fear bill would allow free flow of data between private sector and NSA
- Google's move into home automation means even less privacy
- Bill to require warrant for email searches gains ground in House
- Coming soon to a fridge near you -- targeted ads
- Snowden leaks prompt tech firms to tout privacy, transparency policies
- License reader lawsuit can be heard, appeals court rules
- Is EU's 'right to be forgotten' really the 'right to edit the truth'?
- Tails 1.0: A bootable Linux distro that protects your privacy
- Privacy jitters derail controversial K-12 big data initiative
- A More Predictable Way to Budget Software Costs Wavetronix enables creative collaboration while cost-effectively accessing all the latest tools with Adobe Creative Cloud for teams. For Wavetronix, collaboration was easy when...
- Adobe Creative Cloud for teams Security Overview This white paper describes the proactive approach and procedures implemented by Adobe to increase the security of your Creative Cloud experience and your...
- 3 Big Data Security Analytics Techniques You Can Apply Now to Catch Advanced Persistent Threats This technical white paper demonstrates how to use Big Data security analytics techniques to detect advanced persistent threat (APT) cyber attacks, and it...
- IT Security by the Numbers: Calculating the Total Cost of Protection Humorist Franklin P. Jones may have said it best: "When you get something for nothing, you just haven't been billed for it yet."...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!