Journalist uncovers hospital data breaches

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.lexology.com/library/detail.aspx?g=76c32025-0416-4689-9f51-d0192232400e

An article published by specialist healthcare news website
Actusoins(1) has revealed data breaches at several French hospitals
and clinics, demonstrating that such incidents can occur even in a
highly regulated jurisdiction.

The journalist was researching another article and entered the name of
a physician into Google. She was astonished to find, at the top of the
results, a scanned copy of the doctor's prescription for a PET scan
for a cancer patient whose name was still on the prescription. The
journalist continued her investigation and discovered numerous other
data breaches, including:

lists of patients admitted to various services in different hospitals;
a list of disabled adults and children; and
patients' test results.

The breaches originated in different hospitals and clinics.

The Actusoins website hid the patient data before publishing the
article, and stated that the relevant hospitals and clinics had been
informed and had corrected the breaches.

France has strict laws relating to the protection of health data, with
high fines and criminal penalties for breaches. France is one of the
only countries in Europe to require that health data be stored only
with hosting providers approved by the French government. In spite of
these precautions, compliance appears to be lax, particularly among
smaller healthcare facilities. Some of the facilities cited in the
article made very basic mistakes in how they store and protect health
data, including failing to secure file transfer protocol servers. At
present, France does not impose a data breach notification requirement
on healthcare providers, but such obligation is likely to be
introduced with the adoption of the proposed EU regulation on the
protection of personal data.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.