UCLA breach: Do Not Take Data Home

By PAMELA LEWIS DOLAN

amednews.com

Even if practices think they have a strong data security plan in place, too often a new breach occurs that reminds them there are always additional steps that can be taken, or that certain vulnerabilities were overlooked.

The most recent reminder came through the UCLA Medical Center, which issued a public notice on Nov. 4 saying that a former employee's computer external hard drive that contained information about 16,288 patients was stolen during a house burglary. Although the data were encrypted, a piece of paper containing the password needed to unencrypt the data also came up missing after the burglary.

UCLA said in the notice that the records did not contain Social Security numbers or financial information. But they did include first and last names and possibly birth dates, addresses and medical record numbers and information. The data ranged from July 2007 to July 2011. The theft occurred in September, and UCLA said it took until November to determine who was affected and obtain valid addresses for notification. The employee whose home was burglarized ended his employment with UCLA in July.

The entire story is here.

U.C.L.A. Health System Warns About Stolen Records

LOS ANGELES (AP) — UCLA’s system of hospitals and clinics warned more than 16,000 patients that their personal information was on a computer hard drive stolen in the burglary of a doctor’s home, officials said Friday.

The UCLA Health System sent letters to the 16,288 patients affected, warning them of possible identity theft and giving them contact information for a data security company the system has enlisted for help.

Someone using the documents for identity theft was “very unlikely,” but there was a possibility, the statement said.

“UCLA’s concern for its patients is absolute, and we deeply regret any breach of confidentiality and the stress and concern it might cause,” it said.

The whole story can be found here.

Children’s hospital loses personal info of 500,000 patients

wftv.com

In a potential security breach at Nemours Children’s Health System, officials say they have lost the personal information of thousands of Florida patients.

Company officials say the patient information was being stored in a filing cabinet at a facility in Delaware. Officials said inside the cabinet were nonpassword protected computer backup tapes containing the personal and financial information of 500,000 Florida patients.

The whole story and video can be found here.

HIPAA Summit West: 1 in 4 Organizations Report Data Breaches

Dom Nicastro, for HealthLeaders Media, September 27, 2011

Ali Pabrai said it best at last week's fifth national HIPAA Summit West at the Grand Hyatt in San Francisco. Pabrai, a data security expert, noted that 97% of chief information officers are concerned about data security.

"My question is, 'Who are these other three percent?'" Pabrai asked the hundreds of laughing attendees.

Pabrai, MSEE, CISSP (ISSMP, ISSAP), of ecfirst's HIPAA Academy in Newport Beach, CA, delivered a message that resonates with HIPAA privacy and security officers: Everyone, especially those charged with protecting the privacy of patient information, needs to be concerned about data security.

Numbers game

The numbers at the HIPAA Summit told the story:

• 1 in 4: Organizations reporting a data breach (source: Pabrai)
• 250,000 to 500,000: Medical identity thefts (source: Pabrai)
•  330: Organizations reporting a breach of unsecured protected health information affecting 500 or more individuals since September 2009 (source: Office for Civil Rights, or OCR)
• 34,000: Number of reports of breaches submitted to OCR affecting fewer than 500 individuals (source: OCR)

From how and from where the 500-or-more breaches are coming:

How:

• Theft: 50%
• Unauthorized access disclosure: 20%
•  Loss: 16%
• Hacking/IT: 7%

Where:

• Paper records: 24%
• Laptop: 23%
• Desktop computer: 17%
• Portable electronic device: 16%
• Network server: 10%

In August, McAfee reported that hackers broke into the United Nations data system and hid there for two years unnoticed, Pabrai said.

"How do we know that someone isn't hiding in our systems, and how long have they been there?" Pabrai asked the audience. "Do we have appropriate controls? What is the state of our information security?" Do you have intrusion protection and intrusion prevention in place?

"This is not just a compliance issue," Pabrai said. "This will have significant risk to the organization and will impact your facility in the seven figures."

The entire story can be read here.

HHS: More than 5.4M patients affected by data breaches in 2010

Written by the Editorial Staff of CMIO.net

In U.S. Department of Health and Human Services’ annual report to Congress, Secretary Kathleen Sebelius reported that between Jan. 1, 2010, and Dec. 31, 2010, breaches involving 500 or more individuals were less than 1 percent of the breaches reported, but accounted for more than 99 percent of the more than 5.4 million individuals who were affected.

As part of the Health IT for Economic and Clinical Health (HITECH) Act, the HHS secretary is required to annually report to Congress on the number and nature of data breaches, and actions taken to respond to the breaches.

The number is growing because between Sept. 23, 2009, and Dec. 31, 2009, breaches involving 500 or more individuals were less than 1 percent, but accounted for more than 99 percent of the more than 2.4 million individuals affected by a breach of protected health information. The largest breaches occurred as a result of a theft, an error or failure to adequately secure protected health information. The greatest number of incidents resulted from human or technological error and involved the protected health information of just one individual, HHS’ report said.

The largest breaches in 2010, much like 2009, occurred as a result of a theft, HHS reported. However, compared with 2009, the number of individuals affected by the loss of electronic media or paper records containing protected health information in 2010 was greater than the number of individuals affected by unauthorized access or human error.

The report said the 2010 incidents involved an additional category, improper disposal of paper records by a covered entity or business associate. The greatest number of reported incidents in 2010 resulted from small breaches involving human or technological error, with the most common incidents involving protected health information of only one or two individuals.

HHS said in its report that the breach notification requirements are achieving their objectives: Increasing public transparency of breaches and increasing accountability of the covered entities.

The secretary indicated that covered entities and business associates are providing breach notifications. Millions of affected individuals are receiving notifications, local media are being notified in the regions affected, and the secretary is receiving breach reports. To provide increased public transparency, information about breaches involving 500 or more individuals is available on the Office of Civil Rights (OCR) website. 

Also, the report said that more entities are taking remedial action to provide relief and mitigation to individuals and taking further action to prevent future breaches. In addition, OCR continues to exercise its oversight responsibility for reviewing and responding to and investigating breaches involving 500 or more individuals.

More than 250 breaches involving 500 or more individuals occurred in 2009 and 2010, and OCR has closed approximately 76 cases where it determined that the covered entity properly complied with the notification requirements, and corrective actions were taken. In the remaining cases, OCR continues to investigate and is working with the covered entities to ensure remedial action is taken to prevent future incidents.

For breaches involving less than 500 individuals, a covered entity must notify the secretary. HHS received approximately 5,521 reports of smaller breaches that occurred between Sept. 23, 2009, and Dec. 31, 2009. These smaller breaches affected approximately 12,000 individuals. HHS received more than 25,000 reports of smaller breaches occurring between Jan. 1, 2010, and Dec. 31, 2010. These smaller breaches affected more than 50,000 individuals.

The majority of the smaller breaches involved misdirected communications. Often, a clinical or claims record was mistakenly mailed or faxed to the wrong individual. In other instances, test results were sent to the wrong patient, files were attached to the wrong record, e-mails were sent to the wrong address and member ID cards were mailed to the wrong individuals. HHS said the covered entities reported fixing “glitches” in software that incorrectly compiled patient lists, revised policies and procedures, and trained or retrained employees who mishandled protected health information.

Wellpoint Reaches Settlement on Data Loss

From InfoSecurity.com

WellPoint has reached a preliminary settlement in a class-action lawsuit filed in California Superior Court for the potential exposure of data belonging to more than 600,000 health insurance applicants on a company-run website.

Under the settlement, WellPoint agreed to offer credit monitoring services for two years to all affected individuals, according to a report by amednews.com.

The company agreed to reimburse affected individuals up to $50,000 for any identity theft losses; individuals have until May 31, 2016, to file an identity theft loss claim. The company also agreed to donate a total of $250,000 to two nonprofit organizations whose efforts are directed at protecting consumers' privacy on the Internet, according to the report.

The situation came to light when an applicant to WellPoint-owned Anthem Blue Cross of California sued the company in March 2010, according to a report by amednews.com. The applicant said he was able to manipulate the web address within the site and gain access to other applicants’ information, including names, addresses, dates of birth, social security numbers, and health and financial information.

When the class-action lawsuit was filed, the company said an upgrade to its system caused the information to be exposed. A third-party vendor had said that security measures were in place, when if fact they were not.

A hearing is scheduled for November at which time the court will decide whether to approve the settlement, the report noted.

Last month, WellPoint agreed to pay $100,000 in fines for delaying notification to 32,000 Indiana customers affected by a possible data breach in a settlement with the Indiana Attorney General.