Top 10 Healthcare Data Breaches for 2014

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2014/12/15/top-10-healthcare-data-breaches-for-2014/

No facility wants to experience a healthcare data breach. Not only can
patients’ protected healthcare information (PHI) be put at risk, but the
organization’s reputation will be on the line. It can take time for a
healthcare facility to recover. The monetary penalties can be heavy, and
patients will need reassurance that they can trust the healthcare
organization with their PHI once again.

As we wrap up 2014, HealthITSecurity.com decided to take a look back at
some of the largest healthcare data breaches. These are not the only
security incidents that took place this year, and facilities of all sizes
need to keep their HIPAA security requirements current. However, in terms
of sheer size of patients affected, these data breaches were significant.
Moving into the new year, healthcare organizations should review all
security measures and ensure that they remain diligent in protecting
sensitive information.

40,000 patient records stolen from New Jersey doctor

In October, Dr. Nisar A. Quraishi of New Jersey found that both latches on
the shed door of his office’s storage facility had been cut open. Upon
entering, Quraishi told police he quickly saw that all of the medical
records of patients he had treated between 1982 and 2009 – and may still be
treating – had been stolen.

Approximately 40,000 patient records containing PHI were missing. The
records reportedly included patients’ Social Security numbers, dates of
birth, home addresses and medical histories.

Third Breach in two years for Aventura Hospital and Medical Center

Aventura Hospital and Medical Center announced in September that its most
recent healthcare data breach occurred from Sept. 13, 2012 to June 9, 2014.
A vendor’s employee reportedly stole the information of approximately
82,000 patients.

The breach reportedly occurred when an employee of Valesco Ventures,
Aventura’s HIPAA business associate (BA), inappropriately accessed patient
names, dates of birth and Social Security numbers. However, the
organization said that no financial or health information was included in
the incident. Aventura claimed it was working with local and federal
authorities on breach investigation and said it will begin assessing how to
mitigate patient risks going forward.

Millions of records compromised by Chinese hackers

Community Health Systems, Inc. experienced the largest healthcare data
breach of the year, when it announced toward the end of the summer that
Chinese cyber criminals hacked into its computer network with malware
between April and June 2014.

The hackers compromised 4.5 million patients’ data, including names,
addresses, birth dates, telephone numbers and Social Security numbers.
However, no credit card or medical data were reportedly involved.

Mandiant, Community Health Systems’ security vendor, explained that the
group believed to have caused the breach has also looked for intellectual
property, including medical device data.

Tennessee subcontractor notifies 60,000 of data breach

Onsite Health Diagnostics (OHD), a Tennessee government subcontractor,
announced over the summer that an unknown party had inappropriately
accessed its online scheduler early in the year. It was reported at the
time that the source gained access to 60,582 employee data, such as names,
date of birth, addresses, email addresses, phone numbers and gender from
January 4, 2014 to April 11, 2014.

Financial information was not included in the healthcare data breach.
Moreover, the incident did not affect any diagnosis or medical information,
but the state determined that because it is related to members’ health
benefits, the disclosure of name, address, email address, phone number and
gender does fall under the HIPAA definition of a breach of protected health
information.

63,000 patients affected by mailing error

St. Vincent Breast Center of Indianapolis alerted approximately 63,000
patients in July that their data had been potentially compromised after the
organization mistakenly sent letters with patient information to the wrong
addresses.

“We value the privacy and security of patient information, and regret this
mailing error,” Rex McKinney, privacy officer for St. Vincent Indianapolis
Hospital, said to wishtv.com. “It is our priority to support those who have
been affected and make the necessary changes to our patient mailing process
to avoid future occurrences. We sincerely apologize for any inconveniences
resulting from this unfortunate incident.”

The hospital reported that it destroyed all letters that patients sent back
to them. However, it was unknown at the time of the incident how many
mistakenly mailed letters were still out there. The organization added that
it will implement new patient information mailing strategies going forward.

NRAD breach affects 97,000 patients

Garden City, New York-based NRAD Medical Associates informed 97,000
patients over the summer that an internal employee inappropriately accessed
PHI and patient billing data back in April 2014.

A radiologist was reportedly able to maneuver through IT security
safeguards in place and access information such as date of birth, address,
Social Security number, and health insurance information. However, NRAD
stated that it didn’t believe the information was being used maliciously
and that it had “immediately enhanced security measures.”

Montana healthcare data breach affects 1.3 million patients

The Montana Department of Public Health and Human Services (DPHHS)
determined on May 22, 2014 that its server was likely hacked as far back in
July 2013. The breach affected 1.3 million patients.

DPHHS reported that its server held patient demographic information,
including names, addresses, dates of birth, and Social Security numbers.
Additionally, some records may have contained information regarding DPHHS
services clients applied for and/or received, such as health assessments,
diagnoses, treatment, health condition, prescriptions, and insurance.

“The state has taken several steps to further strengthen security,
including safely restoring all systems affected, adding additional security
software to better protect sensitive information on existing servers, and
continually reviewing its security practices to ensure all appropriate
measures are being taken to protect citizen information,” DPHHS said in a
statement.

UPMC employees hit with data breach

The University of Pittsburgh Medical Center’s (UPMC) original projection of
817 employees being affected by a data breach turned out to be greatly
underestimated. At first 27,000 total were thought to be potentially at
risk, but it was later changed to include all 62,000 employees.

The breach was first reported in February, and it appeared as though the
compromised information was accessed with access to financial data in mind
and the affected employees may be at risk of identity fraud. Employees had
already been raising concerns about identity theft before the number of
affected individuals was increased. Some staff had also filed a
class-action lawsuit against UPMC.

Over 300,000 patients affected in LA data breach

The Los Angeles County Department of Health Services (DHS) initially
reported a 168,000-patient data breach at its billing company, Sutherland
Healthcare Solutions. However, one month later it added 170,200 patients to
the breach list.

Eight computers were stolen from the Torrance location on February 6 and
patients’ first and last names, Social Security numbers and certain medical
and billing information, as well as potentially birth dates, addresses and
diagnoses, may have been compromised.

The organization’s security procedures were going to be reviewed, a
spokesman explained at the time. Moreover, local and federal authorities
were both looking into the incident.

Texas health system sees 405,000 patients affected by breach

St. Joseph Health System (SJHS) in Texas reported a data breach at the
beginning of the year that has affected more than 405,000 patients,
employees, and employee beneficiaries.

Information was reportedly accessed through a single server by hackers from
China and other locations. The data included patient names, birth dates,
Social Security numbers, and possibly addresses. Medical information for
patients was accessible, as well as bank information for current and former
employees. However, investigators could not determine if any information
had been extracted.

“SJHS is working with the United States Federal Bureau of Investigation,
which is also looking into this incident,” the hospital said in a
statement. “SJHS is providing written notice of this incident to affected
individuals, to the U.S. Department of Health and Human Services, as well
as to certain state and international regulators.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!