Blog

An Unhealthy Amount of Lost Data...

Per section 13402(e)(4) of the HITECH Act, the government has made the names and causes of healthcare company data breaches public on the U.S. Department of Health and Human Services website.

Per section 13402(e)(4) of the HITECH Act, the government has made the names and causes of healthcare company data breaches public on the U.S. Department of Health and Human Services website. We downloaded the spreadsheet of 282 organizations and the top cause of lost data was personal. Some were blatant thefts, but most were accidental: Kaiser Permanente Medical Care Program: An employee left an external portable hard drive containing electronic protected health information in a vehicle that was stolen. The hard drive contained the protected health information of approximately 15,500 individuals. The protected health information involved in the breach included names, medical record numbers, and information relating to the care and treatment of various chronic health conditions. A subset of records may also have included dates of birth or ages, gender, phone numbers, and general information relating to the care and treatment of chronic health conditions. Following the breach, the responsible employee was terminated for violating KP’s policies. Additionally, OCR’s investigation resulted in the covered entity initiating deployment of a Removable Media Encryption software tool. Blue Cross Blue Shield Association: The business associate incorrectly updated the contract holders’ addresses resulting in the mailing of protected health information to incorrect recipients. The breach affected approximately 3,400 members. The protected health information involved included demographic information, EOBs, clinical information, and diagnoses. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with SBP. The business associate improved its code review process to catch the system error that caused this incident and instituted a manual quality review process designed to identify bad addresses. Health Services for Children with Special Needs: A laptop was lost by an employee while in transit on public transportation. The computer contained the protected health information of 3800 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment. In addition, all employees received additional security training. North Carolina Baptist Hospital: An employee’s car was broken into and a tote bag, which had a spreadsheet containing PHI was stolen from the car. The paper file that was in the tote bag had PHI pertaining to 554 patients. The type of PHI involved in the breach included the following: patients’ name, age, weight, race, Social Security number, and blood and tissue typing. Following the breach, among other things, the covered entity’s Privacy Office reviewed the applicable policies and procedures with the clinic responsible, the employee involved was counseled, and affected patients were offered a year of credit monitoring services along with a toll-free number to contact the covered entity if the patients or their family members had any questions concerning the reported breach. As a result of OCR’s investigation, the covered entity took several compliance actions, including creating an action plan to address the breach, installing video cameras in the parking dock for the clinic, and establishing a new Privacy and Information Security Council to help identify ways to improve and strengthen privacy and security policies and practices across the Medical Center. Penn Treaty Network America Insurance Company: Social security numbers were inadvertently printed on the address labels in a newsletter mailing. The mailing had 560 recipients. The covered entity acted to mitigate the disclosure by verifying that the all mail was correctly delivered. It also counseled the responsible employee and updated its policies and procedures. The steps taken to correct the situations were generally the same- "strengthen policies" and "educate the staff involved." Wouldn't it be great if the data was throuhly locked down in the first place? This list should serve as a great big neon sign to every business in every industry: "We are in an age of 'when,' not 'if.'" Don't risk becoming the next data breach headline...