Monthly Archives: December 2014

Biggest Health Data Breaches in 2014

December 23, 2014

Federal Tally Reveals Latest Trends

By , December 22, 2014.

Biggest Health Data Breaches in 2014

The five biggest 2014 health data breaches listed on the federal tally so far demonstrate that security incidents are stemming from a variety of causes, from hacker attacks to missteps by business associates.

The top breaches offer important lessons that go beyond the usual message about the importance of encrypting laptops and other computing devices to prevent breaches involving lost or stolen devices, still the most common cause of incidents. They also highlight the need to bolster protection of networks and to carefully monitor the security practices of business associates.

The Department of Health and Human Services’ Office for Civil Rights adds breaches to its “wall of shame” tally of incidents affecting 500 or more individuals as it confirms the details. A snapshot of the federal tally on Dec. 22 shows that 1,186 major breaches impacting a total of nearly 41.3 million individuals have occurred since the HIPAA breach notification rule went into effect in September 2009.

According to the tally, the top five health data breaches in 2014 affected a combined total of nearly 7.4 million individuals.

The largest breach in 2014 was the hacking attack on Community Health System, which affected 4.5 million individuals. In that incident, forensic experts believe an advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the hospital chain’s systems.

The Community Health Systems incident is also the second largest health data breach since the enactment of the HIPAA data breach notification rule in 2009. The largest breach is a 2011 incident involving TRICARE, the military health program, and its contractor, Science Applications International Corp., which affected 4.9 million individuals.

Business Associate Troubles

The second largest HIPAA incident in 2014 implicated a business associate. That breach, affecting 2 million individuals, involved an ongoing legal dispute between the Texas Health and Human Services Commission and its former contractor, Xerox, which had provided administrative services for the Texas Medicaid program. The breach arose when the state ended its contract with Xerox. The vendor allegedly failed to turn over to the state computer equipment, as well as paper records, containing Medicaid and health information for 2 million individuals.

However, in September, following a court hearing, the state and Xerox reached an agreed order for the vendor to retain the disputed documents and data until a hearing in January. Texas HHSC in a statement tells Information Security Media Group that the state “believes there was a low risk that client information was compromised and that the information will be protected” by Xerox as the court case continues.

Another top five health data breach in 2014 involved both a business associate and a more familiar culprit – stolen unencrypted computing devices. That Feb. 5 incident involved a vendor that provided patient billing and collection services to the Los Angeles County departments of health services and public health. The theft of eight unencrypted desktop computers from an office of Sutherland Healthcare Services – L.A. County’s vendor – affected more than 342,000 individuals, the federal tally shows. Initially, that breach was believed to have impacted about 168,000 individuals, but the figure was subsequently revised.

Unsecure Files

The fourth largest 2014 breach on the federal tally involved Touchstone Medical Imaging, a Brentwood, Tenn.-based provider of diagnostic imaging services, which became aware in May “that a seldom-used folder containing patient billing information relating to dates prior to August 2012 had inadvertently been left accessible via the Internet. The breach affected more than 307,000 patients.

Read full article…

TD Bank to Pay Second Breach Penalty

December 9, 2014

Massachusetts Cites Bank for Tardy Notification

By , December 8, 2014. Follow Jeffrey @gen_sec

TD Bank has agreed to a second state settlement tied to a data breach involving the loss of two backup tapes that may have exposed personally identifiable information for 260,000 of the bank’s 8 million U.S. customers.

The $625,000 settlement with the Massachusetts attorney general is separate from an earlier, $850,000, nine-state settlement (see:TD Bank Agrees to Breach Settlement). Massachusetts pursued its own investigation because the breach occurred in that state and affected a large number of its residents, a spokesperson for the attorney general tells Information Security Media Group.

The Latest Settlement

In the Massachusetts settlement, Attorney General Martha Coakley said the breach exposed the personal information of more than 90,000 Massachusetts customers.

Coakley alleged that TD Bank violated the state’s data breach notice law by delaying providing notice of the March 2012 incident until October 2012. Under Massachusetts law, breached entities are required to provide written notice “as soon as practicable and without unreasonable delay.”

“Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost,” Coakley says.

TD Bank, in a statement, says it has been continually enhancing its technologies and processes to better protect the personal information of its customers. “This agreement highlights our efforts to evolve our security controls to further benefit our customers,” says Judith Schmidt, a TD Bank spokesperson. “TD Bank has settled with the attorneys general in an effort to resolve this issue.”

Under the Massachusetts settlement, TD Bank will pay $325,000 in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a fund administered by the attorney general’s office to promote education or to fund local consumer aid programs.

In addition, TD Bank has agreed to give prompt notice of future data breaches and to comply with Massachusetts data security regulations, which mandate that organizations encrypt personal information stored on back-up tapes; require third-party service providers to implement and maintain appropriate security measures; and review the security practices and procedures of third-party providers entrusted with personal information.

Backup Tapes Lost

TD Bank reported in October 2012 that two unencrypted backup tapes, which contained 1.4 million files on 260,000 bank customers nationwide, were lost (see: TD Bank Breach Response Questioned). The bank, in its breach notification letter, said the tapes, which contained personal information, were misplaced in late March of 2012 while in transit to one of the bank’s Massachusetts locations.

The information on the tapes may have included names, addresses, Social Security numbers, account numbers and/or other data elements, such as dates of birth or driver’s license numbers, the bank says. As a result, TD Bank offered affected customers 12 months of free credit monitoring services, although the bank advised its customers to monitor their accounts for 24 months.

View article source...

Optical Care Chain Loses a Server, Again

December 5, 2014

Missing Computer Contained PHI for 48,000 Customers

By , December 2, 2014. Follow Marianne @HealthInfoSec

For the second time in recent weeks, Visionworks Inc., has revealed that one of its stores misplaced a database server, apparently due to improper disposal.

In a Nov. 21 statement, Visionworks, a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., revealed that a database server at a store in Jacksonville, Fla., containing “partially unencrypted protected health information” belonging to approximately 48,000 customers had been mistakenly discarded after it was replaced on June 2 during scheduled computer upgrades.

Last month, the chain announced that a store in Annapolis, Md., lost a database server containing patient information in June while it was being replaced during a store renovation (see Lost Server: What Went Wrong?). The lost Maryland computer, which contained data on 75,000 customers of that store location, is believed by Visionworks to have been discarded by mistake in a landfill.

Preventive Steps

The Highmark spokesman declined to comment on steps the company is taking to prevent the loss of more servers from its stores. “Visionworks is in the process of fully encrypting all servers. The process should be complete within the next six months,” he says.

While encrypting all data on the lost computer could have potentially prevented the breach at both store locations, “Server hard-drive encryption in an optometrist store is very rare,” notes Kerry McConnell, a senior consultant at security services firm, Tom Walsh Consulting.

Security experts say the back-to-back incidents spotlight the need for organizations to have solid inventory management and data disposal practices, and to ensure that staff are aware of those policies.

“In our experience doing HIPAA risk assessments, we often see storerooms or locked ‘cages’ of older used equipment,” says Dan Berger, CEO of security services firm Redspin. “We often point this out as a vulnerability for precisely the reason that occurred at Visionworks. Once taken out of service, it is very easy to forget what is on each server or workstation,” he says. “That sets the stage for an inadvertent discarding of a device that contains lots of confidential data.”

Berger stresses that having policies safeguarding PHI even when it’s no longer needed is mandated under HIPAA.

“We cite the HIPAA Security Rule, which requires that covered entities and business associates implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored,” he says.

Read full article…

A Lost Server: What Went Wrong?

Inventory Management, Data Disposal Practices in the Spotlight

By , November 14, 2014. Follow Marianne @HealthInfoSec

The loss of a server at an optical wear retail store in Maryland offers a reminder not only of the importance of encryption but also the value of good inventory management and data disposal practices.See Also: Healthcare Data Breaches: Have We Learned Anything?Visionworks Inc., a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., says the problems began when the server was being replaced in June during a remodeling project at its store in Annapolis, Md. “We believe that the server was accidentally removed with trash from recent renovations and taken to a local landfill” along with other materials, a Highmark spokesman tells Information Security Media Group.

The server held protected health information for as many as 75,000 of the store’s customers, according to a Visionworks statement. “All credit card information housed on the server was encrypted, and therefore should not be at risk,” the company says.

Besides the encrypted credit card data, however, the server also contained unencrypted data, including customer names and addresses and some information related to optometrist visits and lens prescriptions, the spokesman explains.

Server Security

While lost and stolen unencrypted computers and storage media, especially mobile devices, are the most common culprits in breaches that appear on HHS’ “wall of shame”, which lists breaches affecting 500 or more individuals, some security experts say the Visionworks server incident is somewhat unusual.

“It’s highly unlikely to lose a server since they typically don’t move around once they get ‘racked and stacked’ in a data center,” says Brian Evans, senior managing consultant at IBM Security Services.

Also, while encryption of all data contained on the lost server would have protected against a data breach, “it’s not commonplace in healthcare to encrypt servers for a variety of reasons,” he says. “Most organizations think they’re safe because their data is secure within a data center environment where access is physically restricted,” he says – unlike the retail setting where the Visionworks server was located.

“Visionworks could have benefitted from a formal media disposal and asset inventory process,” Evans says. “As a result, the server operating system could’ve been wiped or destroyed while tracking and accounting for this asset.”

Lessons Learned


All healthcare organizations should have policies that spell out how computing devices need to be handled if moved or relocated, says Tom Walsh, president of the independent security consultancy Tom Walsh Consulting.

He suggests that such a policy should state: “Any media, equipment, or device containing memory and possibly storing confidential information needs to be sanitized or erased before the media or equipment is reused, sent to a vendor for repair, sold, or prepared for donation or disposal.”

Additionally, he says relocation policies often prescribe that, “hard disk drives are removed from servers, workstations, laptops and other devices – including multifunction printers – and kept temporarily in a secure holding area, such as a locked office/cage/room/cabinet, until the hard drives are physically destroyed by the IT department staff or electronics recycling vendor. The inventory tracking database also needs to be updated when equipment is removed from service.”

Read full article…