Six Healthcare Data Breaches That Might Make Security Pros Sick

Most of the healthcare industry's biggest compromises could have been avoided, experts say
4. Silicon Valley Eyecare Optometry and Contact Lenses: More than 40,000 patients were informed of a breach that exposed their sensitive health and identifiable information after Silicon Valley Eyecare was hit by burglars. The thieves stole the server containing the firm's patient database, which included health information and personally identifiable information, such as dates of birth and Social Security Numbers. The burglars broke in through a window, nabbing the server and a plasma TV; they were in and out within 50 seconds, according to the eye-care center, which recorded the theft on video.

Lessons Learned: Though the server did sit inside a locked room, it was likely visible from the window. The database that sat within the server was password protected, but unencrypted. To prevent these types of breaches from occurring, database stewards need to plan better layers of both physical and logical security. This means storing servers in secure, concealed locations and encrypting data in the machines.

5. Affinity Health Plan: This spring, Affinity informed hundreds of thousands of customers that it potentially exposed their personal information through the unlikeliest of devices: the office copier. The health insurance company apparently returned a copying machine to its leasing company without checking the information contained on its hard drive after extended use. All in all, the copier compromised 409,000 records.

Lessons Learned: With so many devices in the office connecting to the database and processing sensitive information, organizations must remain vigilant about how data is used and stored -- no matter what the electronic medium. Multipurpose copy machines are a particularly tricky prospect because they can copy and store both digital and paper format files, making it necessary for organizations to develop policies about data retention and to train employees to stick to those mandates.

6. AvMed Health Plans: This year has not been good for AvMed and security. In February, it went public with breach details from a late 2009 stolen laptop incident that it initially said exposed more than 200,000 records. By June, it had upped those figures to 1.2 million records. AvMed claimed in its press releases that the risk of fraudulent use of these records was low, but did not say whether the data was encrypted.

Lessons Learned: Laptops needn't be out in the field to be juicy targets for theft -- they just need to contain enough valuable records to entice thieves. In this case, the two laptops were stolen directly from AvMed's offices. A very large number of healthcare's data breach woes can be pinned to lost and stolen laptops.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.