Fourth HIPAA breach for Kaiser

By Erin McCann
Healthcare IT News
Originally published April 7, 2014

Some 5,100 patients treated at Kaiser Permanente were sent HIPAA breach notification letters Friday after a KP research computer was found to have been infected with malicious software. Officials say the computer was infected with the malware for more than two and a half years before being discovered Feb. 12.

The computer was used by the Kaiser Permanente Northern California Division of Research to store research data. The breach, officials note, involved patients participating in specific research studies and may have compromised their names, birth dates, medical record numbers, lab results associated with research, addresses and additional medical research data.

The entire story is here.

Five Ethical Mistakes To Avoid with Clients on the Internet

This is a brief overview of common mistakes to avoid with online psychotherapy.  If nothing else, this short video should help a psychologist contemplating providing online psychotherapy services.





From the Australian Counseling Association.

Patient information breach confirmed

Officials: Staffer copied confidential data at Reading Hospital for training purposes

By Dan Kelly and Ron Devlin
The Reading Eagle
Originally published May 18, 2012

Reading Hospital's medical records system was breached recently by an employee who copied sensitive patient information and used it for training purposes, hospital officials confirmed Thursday.

Medical test results, diagnoses, prescribed medications and other data legally classified as Protected Health Information on 12 patients was made public without the hospital's knowledge or the patients' consent.

Susan Heffner, privacy officer for the hospital, said it was the hospital's first breach of patient health information.

"This was old school," Heffner said. "Someone made paper copies of records."

The entire story is here.

HHS: More than 5.4M patients affected by data breaches in 2010

Written by the Editorial Staff of CMIO.net

In U.S. Department of Health and Human Services’ annual report to Congress, Secretary Kathleen Sebelius reported that between Jan. 1, 2010, and Dec. 31, 2010, breaches involving 500 or more individuals were less than 1 percent of the breaches reported, but accounted for more than 99 percent of the more than 5.4 million individuals who were affected.

As part of the Health IT for Economic and Clinical Health (HITECH) Act, the HHS secretary is required to annually report to Congress on the number and nature of data breaches, and actions taken to respond to the breaches.

The number is growing because between Sept. 23, 2009, and Dec. 31, 2009, breaches involving 500 or more individuals were less than 1 percent, but accounted for more than 99 percent of the more than 2.4 million individuals affected by a breach of protected health information. The largest breaches occurred as a result of a theft, an error or failure to adequately secure protected health information. The greatest number of incidents resulted from human or technological error and involved the protected health information of just one individual, HHS’ report said.

The largest breaches in 2010, much like 2009, occurred as a result of a theft, HHS reported. However, compared with 2009, the number of individuals affected by the loss of electronic media or paper records containing protected health information in 2010 was greater than the number of individuals affected by unauthorized access or human error.

The report said the 2010 incidents involved an additional category, improper disposal of paper records by a covered entity or business associate. The greatest number of reported incidents in 2010 resulted from small breaches involving human or technological error, with the most common incidents involving protected health information of only one or two individuals.

HHS said in its report that the breach notification requirements are achieving their objectives: Increasing public transparency of breaches and increasing accountability of the covered entities.

The secretary indicated that covered entities and business associates are providing breach notifications. Millions of affected individuals are receiving notifications, local media are being notified in the regions affected, and the secretary is receiving breach reports. To provide increased public transparency, information about breaches involving 500 or more individuals is available on the Office of Civil Rights (OCR) website. 

Also, the report said that more entities are taking remedial action to provide relief and mitigation to individuals and taking further action to prevent future breaches. In addition, OCR continues to exercise its oversight responsibility for reviewing and responding to and investigating breaches involving 500 or more individuals.

More than 250 breaches involving 500 or more individuals occurred in 2009 and 2010, and OCR has closed approximately 76 cases where it determined that the covered entity properly complied with the notification requirements, and corrective actions were taken. In the remaining cases, OCR continues to investigate and is working with the covered entities to ensure remedial action is taken to prevent future incidents.

For breaches involving less than 500 individuals, a covered entity must notify the secretary. HHS received approximately 5,521 reports of smaller breaches that occurred between Sept. 23, 2009, and Dec. 31, 2009. These smaller breaches affected approximately 12,000 individuals. HHS received more than 25,000 reports of smaller breaches occurring between Jan. 1, 2010, and Dec. 31, 2010. These smaller breaches affected more than 50,000 individuals.

The majority of the smaller breaches involved misdirected communications. Often, a clinical or claims record was mistakenly mailed or faxed to the wrong individual. In other instances, test results were sent to the wrong patient, files were attached to the wrong record, e-mails were sent to the wrong address and member ID cards were mailed to the wrong individuals. HHS said the covered entities reported fixing “glitches” in software that incorrectly compiled patient lists, revised policies and procedures, and trained or retrained employees who mishandled protected health information.

Patient Data Posted Online in Major Breach of Privacy

By Kevin Sack
The New York Times

Published September 9, 2011

A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

Although medical security breaches are not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection.

Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, experts on medical security said the Stanford breach spotlighted the persistent vulnerability posed by legions of outside contractors that gain access to private data.

The spreadsheet included names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital’s emergency room during a six-month period in 2009, Mr. Migdol said. It did not include Social Security numbers, birth dates, credit-card numbers or other information used to perpetrate identity theft, he said, but the hospital is offering free identity protection services to affected patients.

The breach was discovered by a patient and reported to the hospital on Aug. 22, according to a letter written four days later to affected patients by Diane Meyer, Stanford Hospital’s chief privacy officer. The hospital took “aggressive steps,” and the Web site removed the post the next day, Ms. Meyer wrote. It also notified state and federal agencies, Mr. Migdol said.

“It is clearly disturbing when this information gets public,” he said. “It is our intent 100 percent of the time to keep this information confidential and private, and we work hard every day to ensure that.”

Diane Dobson, of Santa Clara, Calif., said her “jaw dropped” on Saturday when she intercepted the letter from Ms. Meyer addressed to her 21-year-old son, who she said had received emergency psychiatric treatment at Stanford in 2009. Ms. Dobson said it could have been disastrous if her son, who lives at home, had learned that his name was linked to a mental health diagnosis.

“My son, I can tell you, is fragile and confused enough that this would have sent him over the edge,” Ms. Dobson said, saying she decided to speak publicly now because of her frustration with the breach. “Everyone with an electronic medical record is at risk, and that means everyone.”

The entire story can be read here.

Computer theft impacts 400K S. Carolina patients

by Angela Moscaritolo

In one of the largest health care data breaches this year, a computer containing hundreds of thousands of patient records was stolen from South Carolina's Spartanburg Regional Healthcare System.

How many victims? 400,000.

What type of personal information? Social Security numbers, names, addresses, dates of birth and medical billing codes.

What happened? A desktop computer containing the sensitive data was stolen from an employee's car on March 28. The employee was authorized to have the computer.

Details: The health care system posted a notification about the breach on its website in late May, though it did not reveal how many patients were affected. The U.S. Department of Health and Human Services last week revealed the number of impacted individuals.

There is no evidence that the information has been misused.

What was the response? Spartanburg reported the theft to authorities. An investigation was launched. The company also took unspecified steps to enhance its security procedures. Affected individuals have been notified and offered a free subscription for identity theft consultation and credit monitoring services.

Letter to patients can be found here.

HHS.gov site that documents breaches of unsecured protected health information affecting 500 or more individuals can be found here.

ISU Breach Exposes Medical Information

By Brittany Borghi


POCATELLO, Idaho -- A breach in an Idaho State University server's firewall has exposed private medical information from patients of Pocatello Family Medicine to anyone on the Internet.

But, the clinic said, there is no evidence that any of that medical information has been stolen or even accessed. They say the firewall was taken down in August of 2010 for maintenance, but an employee noticed that it still was not back up in May.

Some hackers did access the server and used the space there to store some movies, but Medical Practice Director Amy O'Brien said, patients do not need to worry.

"I don't think there's a big cause for concern but we just wanted to be proactive and let them know and try to take care of them," she said.

O'Brien said a call center has been established for patients with questions and anyone affected is being offered free credit monitoring for the next year.

California patients can sue if personal data are released during billing disputes

The California Supreme Court determines that physicians and others are liable if the information is given to credit agencies

By Alicia Gallegos

amednews.com

The Supreme Court of California has ruled that patients can sue doctors, debt collectors and others who disclose their medical information to credit agencies during billing disputes.

The ruling exposes California physicians to more lawsuits and hinders their ability to collect outstanding bills, said an attorney involved in the case.

In the past, the Fair Reporting Credit Act protected doctors from lawsuits over such disclosures. The law says if doctors or others receive notice that a debt is in dispute, they are required to furnish accurate and complete information about the debt to the requesting credit agency.

But in its June 16 opinion, the state's high court said a more stringent California law on patient privacy trumps the FRCA, preventing doctors from releasing any confidential information to creditors without patient consent.

"It really inhibits the ability of health care providers to document the basis for [debt] claims," said Charles Messer, an attorney who represented the bill collector, Stewart Mortenson. "It makes collecting medical debts much more difficult."

The decision stems from a billing dispute between Robert Brown and his dentist, Rolf Reinholds. In 2000, Brown was billed for a treatment he said he never received. The bill was referred to a debt collector, who contacted Reinholds for more information after Brown denied the debt, according to court records.

Reinholds sent Mortenson a copy of Brown's medical history. The record included medical histories of Brown's children, which were in the same file. As the billing dispute continued, Mortenson disclosed the medical information to three national consumer reporting agencies.

Brown sued Reinholds and Mortenson, alleging that he never consented to the record disclosure. Among other details, the information included Brown's Social Security number, address, date of birth and telephone number, court records show. Reinholds was dismissed from the suit after settling out of court, according to attorneys in the case.

Lower courts cited federal law

The trial and appellate courts ruled in favor of Mortenson. The lower courts said the confidential information provided was protected by the FRCA.

But the Supreme Court said the law is preempted by the stricter state measure, and that Brown's original claim could move forward. The court said the state privacy law also trumps the Health Insurance Portability and Accountability Act, which allows for certain administrative disclosures.

Brown, an attorney who represented himself, said the high court analyzed the facts carefully and came to the correct conclusion.

"It means people working with health care records in California have to be very careful they are not violating patients' confidentiality," he said. "Without patients' consent, medical information, including a patient's identifying [details], cannot be turned over to credit agencies."

The decision restricts the free flow of information needed for fair and accurate credit reporting, Messer said. Doctors are now subject to legal claims for complying with federal law and providing debt information, he added.

"It becomes a Catch-22 and exposes health care providers to liability," he said.

Messer is considering asking the U.S. Supreme Court to review the case.

Additional Information

Robert A. Brown v. Stewart Mortenson, Supreme Court of California, June 16 (www.courtinfo.ca.gov/opinions/documents/S180862.PDF)

Survey: 90% of companies say they've been hacked

Are breaches becoming a statistical certainty for companies?

By Jaikumar Vijayan

ComputerWorld>Security

If it sometimes appears that just about every company is getting hacked these days, that's because they are.

In a recent survey (download PDF) of 583 U.S companies conducted by Ponemon Research on behalf of Juniper Networks, 90% of the respondents said their organizations' computers had been breached at least once by hackers over the past 12 months.

Nearly 60% reported two or more breaches over the past year. More than 50% said they had little confidence of being able to stave off further attacks over the next 12 months.

Those numbers are significantly higher than findings in similar surveys, and they suggest that a growing number of enterprises are losing the battle to keep malicious intruders out of their networks.

"We expected a majority to say they had experienced a breach," said Johnnie Konstantas, director of product marketing at Juniper, a Sunnyvale, Calif.-based networking company. "But to have 90% saying they had experienced at least one breach, and more than 50% saying they had experienced two or more, is mind-blowing." Those findings suggest "that a breach has become almost a statistical certainty" these days, she said.

The organizations that participated in the Ponemon survey represented a wide cross-section of both the private and public sectors, ranging from small organizations with less than 500 employees to enterprises with workforces of more than 75,000. The online survey was conducted over a five-day period earlier this month.

Roughly half of the respondents blamed resource constraints for their security woes, while about the same number cited network complexity as the primary challenge to implementing security controls.

The Ponemon survey comes at a time of growing concern about the ability of companies to fend off sophisticated cyberattacks. Over the past several months, hackers have broken into numerous supposedly secure organizations, such as security vendor RSA, Lockheed Martin, Oak Ridge National Laboratories and the International Monetary Fund.

Many of the attacks have involved the use of sophisticated malware and social engineering techniques designed to evade easy detection by conventional security tools.

The attacks have highlighted what analysts say is a growing need for enterprises to implement controls for the quick detection and containment of security breaches. Instead of focusing only on protecting against attacks, companies need to prepare for what comes after a targeted breach.

The survey results suggest that some organizations have begun moving in that direction. About 32% of the respondents said their primary security focus was on preventing attacks, but about 16% claimed the primary focus of their security efforts was on quick detection of and response to security incidents. About one out of four respondents said their focus was on aligning security controls with industry best practices.