BreachExchange mailing list archives
Top 10 Healthcare Data Breaches for 2014
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 19 Dec 2014 09:41:21 -0700
http://healthitsecurity.com/2014/12/15/top-10-healthcare-data-breaches-for-2014/ No facility wants to experience a healthcare data breach. Not only can patients’ protected healthcare information (PHI) be put at risk, but the organization’s reputation will be on the line. It can take time for a healthcare facility to recover. The monetary penalties can be heavy, and patients will need reassurance that they can trust the healthcare organization with their PHI once again. As we wrap up 2014, HealthITSecurity.com decided to take a look back at some of the largest healthcare data breaches. These are not the only security incidents that took place this year, and facilities of all sizes need to keep their HIPAA security requirements current. However, in terms of sheer size of patients affected, these data breaches were significant. Moving into the new year, healthcare organizations should review all security measures and ensure that they remain diligent in protecting sensitive information. 40,000 patient records stolen from New Jersey doctor In October, Dr. Nisar A. Quraishi of New Jersey found that both latches on the shed door of his office’s storage facility had been cut open. Upon entering, Quraishi told police he quickly saw that all of the medical records of patients he had treated between 1982 and 2009 – and may still be treating – had been stolen. Approximately 40,000 patient records containing PHI were missing. The records reportedly included patients’ Social Security numbers, dates of birth, home addresses and medical histories. Third Breach in two years for Aventura Hospital and Medical Center Aventura Hospital and Medical Center announced in September that its most recent healthcare data breach occurred from Sept. 13, 2012 to June 9, 2014. A vendor’s employee reportedly stole the information of approximately 82,000 patients. The breach reportedly occurred when an employee of Valesco Ventures, Aventura’s HIPAA business associate (BA), inappropriately accessed patient names, dates of birth and Social Security numbers. However, the organization said that no financial or health information was included in the incident. Aventura claimed it was working with local and federal authorities on breach investigation and said it will begin assessing how to mitigate patient risks going forward. Millions of records compromised by Chinese hackers Community Health Systems, Inc. experienced the largest healthcare data breach of the year, when it announced toward the end of the summer that Chinese cyber criminals hacked into its computer network with malware between April and June 2014. The hackers compromised 4.5 million patients’ data, including names, addresses, birth dates, telephone numbers and Social Security numbers. However, no credit card or medical data were reportedly involved. Mandiant, Community Health Systems’ security vendor, explained that the group believed to have caused the breach has also looked for intellectual property, including medical device data. Tennessee subcontractor notifies 60,000 of data breach Onsite Health Diagnostics (OHD), a Tennessee government subcontractor, announced over the summer that an unknown party had inappropriately accessed its online scheduler early in the year. It was reported at the time that the source gained access to 60,582 employee data, such as names, date of birth, addresses, email addresses, phone numbers and gender from January 4, 2014 to April 11, 2014. Financial information was not included in the healthcare data breach. Moreover, the incident did not affect any diagnosis or medical information, but the state determined that because it is related to members’ health benefits, the disclosure of name, address, email address, phone number and gender does fall under the HIPAA definition of a breach of protected health information. 63,000 patients affected by mailing error St. Vincent Breast Center of Indianapolis alerted approximately 63,000 patients in July that their data had been potentially compromised after the organization mistakenly sent letters with patient information to the wrong addresses. “We value the privacy and security of patient information, and regret this mailing error,” Rex McKinney, privacy officer for St. Vincent Indianapolis Hospital, said to wishtv.com. “It is our priority to support those who have been affected and make the necessary changes to our patient mailing process to avoid future occurrences. We sincerely apologize for any inconveniences resulting from this unfortunate incident.” The hospital reported that it destroyed all letters that patients sent back to them. However, it was unknown at the time of the incident how many mistakenly mailed letters were still out there. The organization added that it will implement new patient information mailing strategies going forward. NRAD breach affects 97,000 patients Garden City, New York-based NRAD Medical Associates informed 97,000 patients over the summer that an internal employee inappropriately accessed PHI and patient billing data back in April 2014. A radiologist was reportedly able to maneuver through IT security safeguards in place and access information such as date of birth, address, Social Security number, and health insurance information. However, NRAD stated that it didn’t believe the information was being used maliciously and that it had “immediately enhanced security measures.” Montana healthcare data breach affects 1.3 million patients The Montana Department of Public Health and Human Services (DPHHS) determined on May 22, 2014 that its server was likely hacked as far back in July 2013. The breach affected 1.3 million patients. DPHHS reported that its server held patient demographic information, including names, addresses, dates of birth, and Social Security numbers. Additionally, some records may have contained information regarding DPHHS services clients applied for and/or received, such as health assessments, diagnoses, treatment, health condition, prescriptions, and insurance. “The state has taken several steps to further strengthen security, including safely restoring all systems affected, adding additional security software to better protect sensitive information on existing servers, and continually reviewing its security practices to ensure all appropriate measures are being taken to protect citizen information,” DPHHS said in a statement. UPMC employees hit with data breach The University of Pittsburgh Medical Center’s (UPMC) original projection of 817 employees being affected by a data breach turned out to be greatly underestimated. At first 27,000 total were thought to be potentially at risk, but it was later changed to include all 62,000 employees. The breach was first reported in February, and it appeared as though the compromised information was accessed with access to financial data in mind and the affected employees may be at risk of identity fraud. Employees had already been raising concerns about identity theft before the number of affected individuals was increased. Some staff had also filed a class-action lawsuit against UPMC. Over 300,000 patients affected in LA data breach The Los Angeles County Department of Health Services (DHS) initially reported a 168,000-patient data breach at its billing company, Sutherland Healthcare Solutions. However, one month later it added 170,200 patients to the breach list. Eight computers were stolen from the Torrance location on February 6 and patients’ first and last names, Social Security numbers and certain medical and billing information, as well as potentially birth dates, addresses and diagnoses, may have been compromised. The organization’s security procedures were going to be reviewed, a spokesman explained at the time. Moreover, local and federal authorities were both looking into the incident. Texas health system sees 405,000 patients affected by breach St. Joseph Health System (SJHS) in Texas reported a data breach at the beginning of the year that has affected more than 405,000 patients, employees, and employee beneficiaries. Information was reportedly accessed through a single server by hackers from China and other locations. The data included patient names, birth dates, Social Security numbers, and possibly addresses. Medical information for patients was accessible, as well as bank information for current and former employees. However, investigators could not determine if any information had been extracted. “SJHS is working with the United States Federal Bureau of Investigation, which is also looking into this incident,” the hospital said in a statement. “SJHS is providing written notice of this incident to affected individuals, to the U.S. Department of Health and Human Services, as well as to certain state and international regulators.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Top 10 Healthcare Data Breaches for 2014 Audrey McNeil (Dec 23)