Four health care providers report breaches: Protecting data not high priority?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.examiner.com/article/four-health-care-providers-report-breaches-protecting-data-not-high-priority

About 21,000 California Blue Shield customers and family members may soon
receive a notice that their information was part of a breach according to a
notice on Jan. 19. Blue Shield claims that the data may have been accessed
between Sept. and Dec. 2015 by an “unauthorized user,” typically called
“hackers or insiders who have criminal intent.” Compromised information
includes name, address, date of birth, Social Security number and possibly
medical records including medical identification number of anyone enrolled
between Oct. 2013 and Dec. 2015.

The company said the breach occurred when a vendor who provides enrollment
assistance was targeted by a telephone scam at the call center. It appears
that log-in credentials of customer service reps were targeted and then
abused. BlueCross/BlueShield is not a stranger to breaches. In 2015 more
than 100 million customers were affected by company breaches in various
regions including subsidiaries Anthem, Excellus, and Premera.

A study released at the end of Dec. 2015 by the Association for Corporate
Counsel found “employee error” turns out to be the most common reason for a
data breach. An example of the kind of employee error mentioned in the
survey – “accidently sending an email with sensitive information to someone
outside the company” has been pinpointed in studies about workplace
breaches for more than 15 years. Other examples include lost laptops,
storage devices and even mobile devices.

Last week Montana’s New West Health Services which offers Medicare
Advantage and Medicare Supplemental Plans announced that an unencrypted
laptop was stolen from an off-site location. It contained past and current
information for about 25,000 customers including names, addresses, and in
some cases driver’s license numbers, Social Security numbers or Medicare
claim numbers. It may also have held payment information, including bank
account or credit card information, as well as some health information,
including birthdates, medical history and condition, diagnosis and/or
prescription information.

Additionally during the week of Jan. 11 in New York, a USB drive was stolen
from St. Luke’s Cornwall Hospital exposing some 29,156 patients' personal
health information (PHI). The stolen thumb drive appears to have included a
file which may have contained for some patients their name, medical record
number, date of service, type of imaging service received, and
administrative–type information used for internal business purposes. The
thumb drive did not contain any Social Security numbers or electronic
medical records, which remain secure.

In Indiana a missing storage device at Indiana University Health Arnett
Hospital may have exposed 29,324 patients' data. The hospital sent out
notification letters explaining it contained patient names, ages, dates of
birth, home phone numbers, medical record numbers, service dates, diagnosis
information, and treating physicians of people who visited the emergency
department between Nov. 1, 2014 and Nov. 20, 2015. As with BlueCross, this
is not the first time Arnett Hospital had a breach due to lost equipment.
In May 2013 IU Health Arnett was compelled to notify more than 10,000
patients when an unencrypted laptop was stolen.

“The richness of the information means that the cyber security threat to
healthcare has increased,” said Michael Ebert, KPMG partner and healthcare
leader at the firm’s Cyber Practice, in their 2015 Cyber Healthcare Survey.
“The magnitude of the threat against healthcare information has grown
exponentially, but the intention or spend in securing that information has
not always followed.

“A hospital typically has some tough choices when it comes to investing,”
Ebert says. “If it has a million dollars it is more likely to spend on
patient care and saving lives before protecting their data.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.