Risk
7/22/2010
09:56 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Healthcare Breaches Spin Out Of Control

If the past week is any indication (and I'm afraid it is), health care companies are doing an abysmal job at protecting personal health care data.

If the past week is any indication (and I'm afraid it is), health care companies are doing an abysmal job at protecting personal health care data.This evening the Colorado Department of Health Care Policy and Financing announced that state officials discovered an unauthorized removal of a computer hard drive from the state's Office of Information Technology Department:

The information did NOT include addresses, dates of birth, social security numbers or any other financial information that could be used for identity theft. It included name, state ID number and the name of the client's program.

Approximately 111,000 clients, or one-fifth of those receiving public health insurance, will receive notification by first-class mail, as required by HIPAA.

So there it is, roughly 20 percent of the state's clients' data is at risk. Thankfully Social Security numbers were not exposed. Still: why is stored sensitive data not encrypted?

Perhaps because it's easier not to encrypt the data and then have to deal with all of the extra hassle. Just as it's easier to dump medical records than it is to have them properly destroyed.

Consider the shock when a Florida couple went to their local recycling center to discover "thousands" of medical records just tossed in the trash.

From Tampa Bay Online:

When they looked at the paper bin it was not only full to the point of pushing up the lid, it was practically bursting at its seams. Inside were what looked to be thousands of pastel and manila file folders, all with neat tabs attached.

Curious, they pulled out a couple and were stunned to see that they appeared to be medical records, Karen Keith said.

The information inside the files included some that couldn't be more personal - or dangerous: Social Security numbers, copies of drivers' license numbers and even credit cards numbers, she said.

Nice. Fortunately the couple called authorities, and the paperwork wasn't found by a crook, or someone willing to sell the data to a bunch of crooks. Unfortunately, we probably don't hear about it when that actually happens, we just witness the resulting spike in identity and medical identity theft.

Also last week, a professional data management firm lost data on 800,000 patients. From South Shore Hospital's notice:

Based upon South Shore Hospital's investigation so far, the back-up computer files could contain personally identifiable information for approximately 800,000 individuals. Included among those individuals are patients who received medical services at South Shore Hospital - as well as employees, physicians, volunteers, donors, vendors and other business partners associated with South Shore Hospital - between January 1, 1996 and January 6, 2010. The information on the back-up computer files may include individuals' full names, addresses, phone numbers, dates of birth, Social Security numbers, driver's license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information. Bank account information and credit card numbers for a very small subset of individuals also may have been on the back-up computer files.

South Shore Hospital's back-up computer files were shipped for offsite destruction on February 26, 2010. When certificates of destruction were not provided to the hospital in a timely manner, the hospital pressed the data management company for an explanation. South Shore Hospital was finally informed on June 17, 2010 that only a portion of the shipped back-up computer files had been received and destroyed.

Unfortunately, this past week isn't much unlike any other week. Patient records are lost and stolen constantly.

So how does the health care industry bring some level of control over these breaches? Personally, I think they're adopting electronic medical records way too quickly: so slowing that down a bit would be a start. At least slowing down the implementation enough to conduct a security assessment of the health care provider, and make sure such records are adequately protected.

Another would be more aggressive enforcement. A recent example of a successful action would be the successful action of the Connecticut Attorney General's Office against the regional health plan, Health Net, for a lost portable drive that included health information, Social Security and bank account numbers on about 446,000 patients. In that incident, Health Net agreed to pay a $250,000 fine and implement a Corrective Action Plan to improve their security program. For a good overview, read Richard Santalesa's analysis of the settlement here, published yesterday.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.