2010: The Year of the Healthcare Data Breach

by Doug Pollack

An article today on iHealthbeat titled “Innovation Inspired by Economics: 2010 Health IT Forecast” discusses trends and expectations for growth in healthcare information technologies despite the financial issues faced by many US healthcare providers currently.

“Necessity being the mother of invention, a constrained economic environment will lead to health IT innovations in two ways. First, lower cost technologies are emerging in health IT, such as open-source software, software as a service, and cloud computing, all of which will be priced lower than traditional health IT offerings. Cloud computing (the use of the Internet to store, manipulate and deliver data already existing on the Web) is seen by some health IT consultants as a useful tool in health, especially for small medical practices.”

The growth in adoption of electronic health record (EHR) systems, combined with the noted trends towards the use of open source software and cloud computing, combined with a new privacy legislation with steep penalties for breaches in security, creates a “perfect storm” for healthcare with respect to data breach incidents.

iHealthbeat article further notes the evolution of risks and new legal requirements now associated with HIPAA business associates.

“We can expect tougher privacy and security enforcement in health care in 2010 because of new and heftier privacy and security penalties written into the American Recovery and Reinvestment Act. The civil penalty cap will be raised from $25,000 to $1.5 million. This is a major issue for 2010 because nearly 60% of business associates interviewed in a HIMSS Analytics survey in November 2009 were unaware that changes to HIPAA will go into effect in 2010. That’s when consumers are guaranteed ‘prompt access’ to an electronic copy of their health records.”

Everything points toward 2010 being a very interesting year when it comes to patient privacy and data security.

Posted in Articles, hitech act | 2 Comments »

North Pole Data Breach

Just in,  data breach incident occurs at the North Pole. Santa has notified over 4MM good boys and girls and is providing one year of free credit monitoring and sleigh rides. While Linda Foley, chair of the Identity Theft Resource Center, was not familiar with this specific incident, she was quoted as having said that “Santa is planning on using data encryption on all north pole workshop laptops starting in 2010″.

Posted in Data Breach News | No Comments »

Identity Theft Myths

Article by Rachel James from ID Experts, reprinted in its entirety.

Thanks to identity theft awareness programs, many people are now exercising increased caution when online. Most folks understand the danger in revealing too much personal information on the Internet, or falling for phishing scams. However, there are still some persistent myths that may be keeping you from protecting yourself and your identity. Here we will look at just three of these myths, and the facts that lay behind them.

Myth 1: I know what those scams look like, bad spelling and terrible English- who falls for those things anyway?

Fact: Indeed, many people are familiar with the obvious signs of a scam. So many people are wise to these frauds that scammers have begun to outsource their products and develop corporate-like organizations to work on sophisticating their “product”. They are merging, expanding and training to improve their scams. Many of those “work from home” scams you see on craigslist are actually paid positions to edit these scam emails to make sure grammar and spelling are good enough to fool someone into believing the IRS really does have a bailout for you. In addition to emails and phone calls, scammers are moving to text messages and social networks and purchasing uniforms to pose as police, census works, UPS drivers and other “authorities”. Scams and fraud will continue to evolve and become more sophisticated. Remember to regularly look for scam updates from your state Attorney General, the BBB, the FTC and your local news in order to say on your toes.

Myth 2: I do not need to worry about identity theft because: I don’t use my credit and I don’t need credit / My credit is so bad / I’ve placed a alert or freeze on my credit bureau

Fact: Identity theft comes in many forms. Financial identity theft is just one of those- and even if your credit is terrible, it can still occur. There are many accounts (utilities, phones, payday loans) that can still be opened with a frozen credit report or with no credit. Collections and judgments on those accounts can still be issued and your wages could be garnished, your driver’s license revoked or other disruptive consequences can result if you ignore your credit reports. Additionally, other forms of identity theft such as criminal and medical identity theft can still occur and be very dangerous. Criminal identity theft could cause your car to be impounded, and you might find yourself spending a night in jail while the police figure out that you are not the same person they fingerprinted for the warrant. Medical identity theft can literally cost you your life. No matter what your situation is, you need to check your credit reports every 3-4 months by going to www.annualcreditreport.com

Myth 3: I have a Mac and I shred everything so I am safe.

Fact: You still need to run security software such as anti-malware and firewalls while operating your Mac. As Macs become more popular, more malware is being designed to specifically target those operating systems. Don’t believe me? Don’t take my word for it; see this article from MacWorld.com which discusses the call for the FTC to crack down on Apple’s advertising claims in the face of gross security negligence or this article on Mac myths. While data regarding the source of identity theft is limited, there is a bit common sense and a few statistics we should use as consumers. The first is that you are not the sole custodian of your data. Every bank you use, every merchant you make purchases with, every school, hospital and employer you have visited probably has some part or all of your personal information. Even if you do everything right, a breach at any of these places can place you at risk. Further, a recent report by Javelin indicates that those who are victims of a data breach are four times more likely to be a victim of fraud.

Now that you understand these three common identity theft myths, you might be wondering what you should do to protect yourself. The answer is that you should prepare for the worst. Don’t just get insurance to cover the costs of recovering your identity, hire a team of experts to be on your side who will restore your identity for you. Let trained professionals help you take steps to protect yourself and provide you peace of mind that they will advocate for you if you become a victim. If you should become a victim of a data breach, demand that restoration services be provided to you at no cost in the event that you become a victim. More information about these services, as well as tips, tricks and resources, can be found at www.idexpertscorp.com

Rachel James writes on behalf of IDExperts. You can follow their Twitter account here.

Posted in Articles | No Comments »

Government Data Breaches Expose 2500% More Records in 2009

by Doug Pollack

It has been reported that 2009 has been the year of the mega-data breach. Recently reported statistics by the Identity Theft Resource Center (ITRC)  would seem to bear this out as far as our federal government and military is concerned as well.

Government Technology, commenting on the report noted that “the breaches so far in 2009 have compromised more than 79 million records, whereas fewer than 3 million were hacked in 2008. A sobering upswing, to say the least. ” This represents a staggering 2500% growth in number of individuals who’s personal information was exposed via our federal government in 2009 (year to date) vs. 2008.

Linda Foley, founder and chairwoman of the ITRC stated that “it’s the same problem. Records are being exposed, so they’re being hacked into; they’re being lost; they’re being put into laptops and carried around. Again, it comes back to, ‘Why are they carrying information with them that they didn’t need?’”

The data confirmed what has become somewhat obvious to those who follow the data breach situation, that the increasing mobility of data and data access significantly contributes to the risks of loss. While there are technology solutions to this problem, the adoption and use of mobile devices seems to be outpacing organizations’ ability to address the new risks.

Posted in data breach | No Comments »

Reporting of Healthcare Data Breaches?

by Doug Pollack

Since the HITECH Act data breach notification provisions became effective this past September 23, 2009, I’d recently become curious about the number and nature of data breaches that would start to appear on the website at the Department of Health and Human Services (HHS).

The HHS Rules require healthcare organizations (specifically HIPAA covered entities) to report to HHS any data breach incidents that have affected over 500 individuals, shortly after the breach is discovered.  I noticed that the Identity Theft Resource Center (ITRC) 2009 ITRC Breach Report, a terrific compendium of public information from numerous sources on data breach incidents, had captured numerous healthcare data breaches since the September 23rd effective date. And of course there have been several very high profile healthcare data breaches recently including the Blue Cross Blue Shield Assocation breach that affected over 850,000 of their medical providers, as well as the recent Health Net data breach affecting over 1.5MM individuals.

So with great anticipation I visited the HHS website where there is a section on the Breach Notification Rule and clicked on the following link:

“View Breaches Affecting 500 or More Individuals. OCR must post a list of breaches that affect 500 or more individuals.  View a list of these breaches.”

And surprisingly, there was nothing there. Now, it is very hard to imagine that no data breaches have been detected since September 23rd that affected over 500 individuals and would have had the potential to lead to harm for the affected population. So, I’m perplexed as to why there aren’t any data breaches over 500 individuals yet listed by HHS.

I guess it is possible that some healthcare providers may still be unaware of the reporting mandate, but it would seem unwise of others that are aware of the breach notification provisions and have experienced a sizable data breach to neglect to comply with the mandatory HHS reporting requirement. If anyone can shed light on the lack of content on the HHS data breach notification site, I think it would be of interest to all of us who are watching to see whether the public reporting provisions of the HITECH Act will result in more responsible behavior by entities to expose our protected health information (PHI).

Posted in data breach, data breach notification, hhs, hitech act | No Comments »

Protecting Patient Privacy

Healthcare organizations arguably hold the most personal and sensitive information that we possess. While HIPAA has provided for protection of the privacy of this information for a number of years, there appears to have been little in the way of enforcement of HIPAA during this period. With the passage of the HITECH Act, this is likely to change.

With fines now authorized for up to $1.5 million for data breach incidents, there is even more reason for hospitals, clinics, pharmaceutical and life sciences companies, and health insurers to evaluate whether they are using best practices for protecting patient privacy.

A recently published article titled “Staying HITECH-Healthy: How Healthcare Can Protect Patient Privacy” is instructive in terms of how to reduce risks while ensuring effective preparation for data breach incidents. It also outlines how organizations can treat a data breach incident as an “opportunity” to do the right thing and potentially find the silver lining in such situations by providing a caring, helpful hand to their patients.

Most of us have a choice as to where we receive our healthcare. How organizations handle, respond to, communicate with and help us with the loss of our patient data, when it occurs, can significantly effect our desire to continue to receive medical services from that institution.

Posted in Data Breach Resources | No Comments »

Data breaches lead to 4X higher incidence of identity fraud

by Doug Pollack

In a recently released report, Javelin Research has highlighted a key finding that is important to those of us who have received a data breach notification letter from an organization that we have entrusted with our personal information — whether a bank, healthcare provider, insurer or merchant. This finding is that individuals who receive a data breach notification leter are four times (4X) more likely to become victims of identity fraud.

“The Javelin report, Data Breach Notifications: Victims Face Four Times Higher Risk of Fraud, is based on multiple years of data and includes updates on 2009 data breaches, implications of changes to the legislative landscape and the technical means by which data breaches occur.”

This statistic is striking, in that it has been thought that the vast majority of data breach incidents are benign in nature. And because of this perception, recipients of data breach notification letters to some extent may have become desensitized to the level of risk of fraud that they face.

This research should be a wakeup call to consumers, but even more importantly, organizations that maintain databases of personal information on their cusotmers and patients need to be hyper-aware that data breach incidents are being increasingly proven to do harm to those in the affected populations.

Posted in Data Breach News | No Comments »

Confirmation of Blue Cross Blue Shield Breach

by Doug Pollack

The Blue Cross Blue Shield Association (BCBSA) has affirmed that is has experienced a data breach incident affecting over 800,000 doctors in the US. According to Jeff Smokler at BCBSA, as reported in SC Magazine, thieves stole an employee’s computer that contained an unencrypted file with the personal information of nearly every doctor who accepts this popular health insurance plan.

“We had an employee who did not follow company procedure and removed information from a BCBSA computers and put it on a personal laptop,” Smokler said

While the national BCBSA is offering a year of free credit monitoring to those affected by the breach, they appear to be working closely with the state BCBS affiliates in order to notify doctors of the incident. In Massachusetts, this notification occured on October 2nd as reported in a Boston Globe article.

A majority of US states have formal breach notification laws that require notification by letter to affected members of a  breach population. There is also now a requirement to follow the HITECH Act notification rules, although it is unclear whether this particular incident would require this due to the somewhat ambigous “harm threshold” that is written into the interim Rules published by the Department of Health and Human Services.

Posted in Data Breach News, hitech act | No Comments »

Blue Cross Blue Shield Breach

by Doug Pollack

This past week, the Boston Globe wrote about a data breach incident at Blue Cross Blue Shield of Massachusetts that occurred in August of this year and where the affected population of people is just now being notified. The breach, which included social security numbers, included over 39,000 physicians and healthcare providers in Massachusetts.

“It took some time to figure out what type of data was on the laptop,’’ said Tara Murray, Blue Cross and Blue Shield of Massachusetts spokeswoman. “There is no reason to be believe the data has been used to steal people’s identity, but we are just being cautious . . . to notify them and offering free credit monitoring.’’

The Boston Globe reported that:

“Jeff Smokler, national Blue Cross-Blue Shield spokesman, said the insurance giant - roughly 90 percent of physicians nationwide are in its network - encrypts all of its information on company computers, but an employee who was authorized to have the information violated company rules by downloading an unencrypted version onto a personal laptop. The laptop was stolen after the employee left headquarters with it.”

It is nice to see Blue Cross-Blue Shield taking the high ground and notifying the affected individuals and providing them with a modicum of protection, given that their analysis didn’t lead to a high level of concern that the information would be misused.

The recently enacted HITECH Act requires that healthcare organizations notify individuals, Health and Human Services (HHS) and the public (via press release or other visible medium) for data breaches that exceed 500 individuals. HHS Interim Rules only mandate notification if an internal risk assessment concludes that there is significant risk of financial, reputational or other harm. Given how “squishy” this harm threshold is, it is prudent for organizations to notify under most circumstances.

This case also exemplifies how the majority of data breach incidents are not due to cybercrime, and related external threats, as is often believed, but are more often  caused by a accidental (or intentional) failure by employess to follow internal policies and practices, or in other cases situations where there is a the intent on the part of an employee to perpetrate fraud using their access to personal information. But in either case, the internal rather than the external threat.

Posted in data breach, hhs, hitech act | No Comments »

Measuring Data Breach Risk

In recent months, with the continued growth in highly public data breach incidents, we began looking at how organizations assess their level of exposure to data breach risk. I suspect if you ask the CEO of most public companies or public sector organizations about their level of risk, that they would tell you that they are “highly secure” and maintain excellent practices to prevent the misappropriation of personal information of their customers, patients, employees, students and other affiliates.

For many firms, they have to meet security and compliance requirements that are necessities in their industry, such as PCI for those that handle credit card information and HIPAA for healthcare organizations. Historically I think that they felt such rigorous compliance requirements could ensure their safety from the risks of data breach.

However, the recent past demonstrates that no organization is really immune to a potential data breach incident. The very visible Heartland Payment Systems breach affected many millions of Americans who’s credit cards were processed by Heartland, an organization that had to adhere to very strict security standards set for the financial industry and their payment processors.  This seeming inconsistency between a perception of being immune from data breach risks with the rapid growth in data breach incidents, led us to think about whether organizations can “quantify” their level of data breach risk.

We were somewhat surprised that there isn’t much available to organizations to help them in measuring and scoring their level of data breach risk. Given this situation, we began to look at how we could model and quantify risks specific to the breach of personally identifiable information (PII) and personal health information (PHI), since it is the unauthorized release of this information that is regulated by state and now federal laws.

To this end, we created what we call the Breach Healthcheck(tm),  tool that uses a proprietary model to assists organizations in quantifying two dimensions of measurement into a Breach Protection Index(tm) — measuring both an organizations level of data breach exposure as well as their level of data breach protection.  Breach Healthcheck then maps this index onto a two dimensional risk map that allows organizations to get a visual indicator as to their level of data breach risk.

Our sense is that organizations that are trusted to hold PII and PHI will find it useful to be able to measure their level of data breach risk, and to understand the primary areas where their practices may lead to unanticipated levels of risk. To get complimentary access to the Breach Healthcheck tool, qualified organizations can contact ID Experts at www.idexpertscorp.com or866-726-4271.

Posted in data breach | No Comments »