Tuesday, July 5, 2011

Prized Patient information open to Web-Highest Number of Security Breaches in Healthcare - Medical Providers


The below chart represent the highest number of security breaches happing in Healthcare sector of US. The immediate question arise to everyone mind; is it because of low-security standard or control available? This is not True!!!  There are strong controls like HIPPA to address security requirement, but it also depends on how and where these controls are implemented. A strategic initiative needs to be developed, involving management commitment with right tools and strong business processes.   


Type of breaches analyzed:
  1. Unintended disclosure (DISC) - Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail.
  2. Hacking or malware (HACK) - Electronic entry by an outside party, malware, and spyware.
  3. Payment Card Fraud (CARD) - Fraud involving debit and credit cards that are not accomplished via hacking. For example, skimming devices at point-of-service terminals.
  4. Insider ( INSD) - Someone with legitimate access intentionally breaches information - such as an employee or contractor.
  5. Physical loss (PHYS) - Lost, discarded or stolen non-electronic records, such as paper documents
  6. Portable device (PORT) - Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc
  7. Stationary device (STAT) - Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility.
  8. Unknown or other (UNKN)

Organization type(s) analyzed: BSO - Businesses – Other, BSF - Businesses - Financial and Insurance Services, BSR - Businesses - Retail/Merchant, EDU - Educational Institutions, GOV - Government and Military, MED - Healthcare - Medical Providers, NGO - Nonprofit Organizations

Few examples of breaches are -

Barnes-Jewish Hospital, The Siteman Cancer Center, Washington University Saint Louis, Montana
A laptop containing unencrypted patient information was stolen during the weekend of December 4, 2010.  It contained the names, Social Security numbers, dates of birth, addresses, phone numbers, email addresses, medical records, diagnoses, lab results, insurance information and employment information

Boulder Community Hospital Boulder, Colorado
A contract nurse is accused of accessing patient information without authorization.  He faces a 90-count felony indictment.  He allegedly used the Social Security numbers and other private information found in patient files to open credit cards in patients' names. 

The VA Caribbean Healthcare System San Juan, Puerto Rico
Veterans and staff had their personal information left unsecured in an open area in the San Juan VA Medical Center. Some of the information included patient care assignment documents with names and Social Security numbers a counseling letters.  It is not clear what type of staff information was exposed.  The information was supposed to have been shredded.

Healthcare Partners Long Beach, California
Nineteen computers were stolen during an office burglary on Monday, April 18.  Administrative information such as names, addresses, dates of birth, medical record numbers, and health insurance plan ID numbers was exposed.  Sensitive medical information such as treating physician names, diagnoses, treatment plans, progress notes, prescriptions, referrals, and authorizations were also exposed. A safe with 16 patient checks and 60 patient credit card receipts was also stolen.

Indiana Regional Medical Center Indiana, Pennsylvania
A former employee stole more than 500 patient records for the purpose of using them as evidence in a legal dispute with a physician.  The theft occurred in September of 2010 and included the medical information of three or four patients, as well as administrative information related to hundreds of other patients.

Trinity Medical Center (Montclair Baptist Medical Center) Birmingham, Alabama
A former employee was caught stealing patient information for the purpose of identity theft.  Hundreds of pages of information with patient names, Social Security numbers, dates of birth and some medical information such as scheduled procedure were found at the employee's residential address

No comments: