Former Therapist Charged in HIPAA Case

April 10, 2015

Faces Charges Tied to Inappropriate Access to Records

By , April 9, 2015.

A former respiratory therapist at an Ohio hospital has been indicted for HIPAA violations in connection with alleged inappropriate access to the records of nearly 600 patients.

The indictment of Jamie Knapp, who had formerly worked at ProMedica Bay Park Hospital in Oregon, Ohio, is one of only a handful of criminal prosecutions of individuals for HIPAA violations.

“Overall, criminal prosecutions under HIPAA have not been that common, although we have seen an increase in recent years,” says privacy attorney Scot Ganow of the law firm Faruki Ireland & Cox PLL. “I do expect us to see more prosecutions as the interest in healthcare information increases for a variety of purposes, including identity theft, cyberstalking, public shaming and celebrity watching.”

According to indictment documents filed this month in a federal court in Ohio, a grand jury indicted Knapp for unlawfully obtaining identifiable health information of 596 patients in violation of HIPAA. The grand jury also charged Knapp with unauthorized access of a protected computer, in violation of federal laws.

“In her capacity as a respiratory therapist, Knapp was authorized to access individually identifiable health information and protected health information of certain respiratory patients,” according to the indictment. “Knapp was not authorized to access the individually identifiable health information and protected health information of other hospital patients.”

Federal prosecutors involved in the case did not immediately respond to Information Security Media Group’s request for more details about the alleged HIPAA violations.

Accessing protected health information without authorization and the disclosure of this information to a third party carries a jail term of up to 10 years in addition to a maximum fine of $500,000 if the disclosure is made for personal gain, Ganow says.

On May 28, 2014, ProMedica, the parent company of the 72-bed hospital where Knapp worked, began notifying the affected patients that their records were inappropriately accessed between April 1, 2013, and April 1, 2014 (see Police Investigating Insider Breach). The breach was also reported to the U.S. Department of Health and Human Services, which has listed the incident on its “wall of shame” website of major breaches as an unauthorized access/disclosure incident involving electronic medical records and a network server.

Other HIPAA Cases

There have been only a handful of other HIPAA-related indictments of individuals that have resulted in convictions and prison sentences.

“Most recently, we saw the criminal conviction of hospital employee Joshua Hippler in Texas for wrongful disclosure of individually identifiable health information for personal gain,” Ganow notes. In February, Hippler was sentenced to serve 18 months in prison after pleading guilty on Aug. 28, 2014, to wrongful disclosure of individually identifiable health information (see Prison Term in HIPAA Violation Case).

Federal prosecutors say that from December 2012 through January 2013, Hippler was an employee of an unidentified East Texas hospital, where he obtained protected health information with the intent to use it for personal gain.

In another case in October 2013, Denetria Barnes, a former nursing assistant at a Florida assisted living facility, was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.

Ganow predicts prosecutors will pursue more of these criminal HIPAA cases. “As long as the healthcare industry continues to actively use Social Security numbers and not take steps to redact them or commit to a minimum use policy, we will see increased criminal activity and related prosecutions,” he says. “Because healthcare records have names, dates of births and SSNs, they are a tempting target for one-stop shop identity thieves. ”

Still, there are steps that healthcare entities can take to minimize insider breaches.

“It’s not enough to have your policies, procedures and safeguards in place. You have to continually assess your security posture for new threats or new risks as a result of a new use of information,” he says.

Read full article…

It’s Time to Re-Examine Risk Management

March 30, 2015

Attacks Against Anthem, Others Are a Call to Action

By Bob Chaput, March 27, 2015

Bob Chaput

Just as 9/11 shattered our assumptions about the impregnability of U.S. defense systems, the recent Anthem Inc., Premera Blue Cross and Community Health Systems mega-breaches show that we need a top-to-bottom re-examination of what information risk management really requires.

To be fair, most healthcare boards of directors and C-suite executives have had their hands full just dealing with the Affordable Care Act and the momentous shift from the fee-for-service model to value-based care. That may be the reason why so many healthcare boards and C-suites are either ill-informed or disengaged from information risk management.

“We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic.”

In the wake of the highly publicized Community Health Systems, Anthem and now Premera hacking incidents, most organizations are scrambling to play catch-up – often trying to “checklist” their way to security. By default, and in the absence of board and C-suite direction, this approach is often too technical, too tactical and involves too much spot-welding.

Here are some reasons why it’s not a matter of if, but when, the next Anthem-style disaster strikes:

Most organizations don’t truly understand the scope of the problem. Although the Anthem hacking incident, which affected 78.8 million individuals, made headlines worldwide, hackers only account for about 8 percent of major health data breaches since September 2009, according to the Department of Health and Human Services. The other 92 percent are mainly due to preventable mistakes made by an organization’s own employees and business associates – losing a laptop containing unencrypted PHI, improperly disposing of paper records, “snooping” into and disclosing confidential data, etc. A health system might pat itself on the back for avoiding an Anthem-type breach, then get stung by a smaller scale breach that can still tarnish its reputation and cost millions to remedy.

The value and vulnerability of patient data are increasing dramatically. The anticipated growth of the national eHealth Exchange means that the likelihood of breaches will continue to rise. The exchange is predicted to soon connect hundreds of hospitals and thousands of medical groups. Hackers will no doubt be encouraged by what the Anthem thieves got their hands on: dates of birth, physical and e-mail addresses, and Social Security numbers of nearly 80 million individuals. That’s the equivalent of the entire populations of California, New York, Illinois and Maryland.

Too few organizations have a formal process for benchmarking the maturity of their IRM programs. The healthcare field is way behind other industries in this regard. The FBI said as much in its April 2014 Privacy Industry Notice and its August 2014 Alert. Many manufacturers and retailers routinely use maturity models to test the efficacy of their supply chain management and business intelligence. Healthcare needs to make it a priority to benchmark its IRM programs.

The term “data security expert” doesn’t equate with “risk management expert.” Too many healthcare organizations rely on their IT staff to ward off hackers, forgetting that breaches also come in a variety of low-tech (or no-tech) varieties. Plus the Anthem breach begs the question: What were the “experts” really doing?

Although the hackers did penetrate several layers of Anthem security, they may have gained access to the huge database by using a stolen password. And numerous media reports suggest that Anthem hadn’t bothered to encrypt the database. At the very least, we shouldn’t be making it easier for hackers to do their job. Whether the Anthem hackers were part of an international cyber-espionage team – or just brainy teenagers – doesn’t really matter. Several news organizations are reporting that the insurer will soon exhaust its $100 million cyber-insurance coverage to meet the staggering cost of identity theft repair and credit monitoring.

The healthcare field has “HIPAA compliance” myopia. The Anthem breach proves once and for all that information risk management is much more than a HIPAA compliance issue. IRM has a direct impact on patient safety and quality of care. But even more than that, it’s a discipline that’s essential to the health of a company’s brand and bottom line.

The Anthem breach demonstrates that there’s still a glaring need for better board and C-suite education about what constitutes comprehensive IRM. We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic. To do so, healthcare organizations need to use new benchmarking tools to help them assess the maturity of their IRM initiatives.

If the CHS breach was a wake-up call, the massive Anthem breach was a bugle blaring across healthcare boardrooms and C-suites nationwide. Let’s hope that it rouses leaders to action.

Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US, is CEO of Clearwater Compliance, an information risk management advisory firm based in Nashville, Tenn., that offers an IRM benchmarking tool.

Go to original article…

Copiers Could be Putting Sensitive Information at Risk

February 26, 2015

Updated: 02/23/2015 11:33 AM
Created: 02/19/2015 8:46 PM KSTP.com
By: Josh Rosenthal

Copy machines are in nearly every office around the world. Most of us use them without thinking twice, which is exactly what identity thieves are counting on.

Almost every time you make a copy, so does your copier.

Back in October, we got a tip. A computer expert told us nearly every copier has a hard drive, just like a computer, and it stores images of everything. So we responded to a Craigslist ad and got a copier for free. Then we took it to a computer forensics expert at LuciData in downtown Minneapolis.

What he found in less than 15 minutes shocked us all: sensitive information belonging to more than a dozen people, including names, addresses, social security numbers, W2s, credit reports, and thousands of dollars in copied checks.

“With the documents I found, a criminal could easily perpetrate some sort of identity theft against that person,” explained LuciData’s Chris Schulte.

The copier belonged to a financial company, based in Minneapolis. The owner refused to talk to us. He also expressed zero interest in telling his clients about the data breach.

When asked how often something like this happens, Schulte said, “well, how many copiers are in use?”

From there, we reached out to three major copier manufacturers. They said their copiers all have built-in security features. A spokesperson from Konica Minolta told us for some companies the security features started in 2010, when a national media report alerted many customers to the problem.

“After that story broke, customers were asking for hard drive security kits, and companies were scrambling to find (them),” Konica Minolta said.

Five years later, we wanted to see just how many Minnesotans knew about the problem. We got four more copiers off Craigslist, all from local businesses.

“I don’t think anybody even considers it,” said Tony Borner of Tony’s Appliance Inc. We didn’t find any data on Borner’s copier, but we were able to pull sensitive data off of two others, bringing our total to three data breaches from five copiers.

“If an identity thief ended up with these exact same five copiers, they would have literally hundreds and hundreds and hundreds of documents containing personal information,” Schulte said.

The fifth copier led to the largest haul: 662 documents, including 25 social security numbers and more than $130,000 in copied checks. We bought it from another financial company. The owner said he’s just too shocked and too embarrassed to comment.

So, here’s what you can do to protect your information: Schulte says if you’re going to get rid of an old copier, remove the storage device first. It could be a hard drive or a compact flash card. Either way, it’s replaceable so you could sell your copier without one. Also, if you’re in an office setting, talk to whoever services your copier. There’s a good chance it has security features that may just need to be turned on.

View original article…

$10 Million Fine in Improper Disposal Case

January 15, 2015

Safeway Cited in Handling of Pharmacy Records, Waste

By , January 14, 2015.

The grocery store chain Safeway has been ordered to pay a $9.87 million penalty as part of a settlement with California prosecutors related to improper disposal of confidential pharmacy records and hazardous waste in dumpsters.

The settlement resolves allegations that Safeway unlawfully disposed of customer pharmacy records containing private medical information in violation of California’s Confidentiality of Medical Information Act.

Prosecutors in California also alleged Safeway unlawfully disposed of various hazardous materials over a period of longer than seven years. Those materials included over-the-counter medications, pharmaceuticals, aerosol products, ignitable liquids, batteries, electronic devices and other toxic, ignitable and corrosive materials, according to a statement from the Alameda County District Attorney’s Office. That office took the lead on the civil enforcement lawsuit filed on Dec. 31 by a coalition of 43 California district attorneys and two city attorneys.

Safeway operates about 500 stores and distribution centers in California under a number of brand names, including Von’s, Pavilions and Pak ‘n Save, and is in the process of merging with another large grocery chain, Albertsons, which operates stores in several states under brands that include ACME, Albertsons, Jewel-Osco, Lucky, Shaws, Star Market and Super Saver.

The case against Safeway by the California district attorneys was based on a series of waste inspections of dumpsters belonging to Safeway facilities conducted by state environmental regulators and other inspectors during 2012 and 2013.

Kenneth Mifsud, Alameda County assistant district attorney, tells Information Security Media Group that the inspections were conducted at dozens of Safeway stores about once a month during an 18-month period. Investigators – who examined retail store waste taken to landfills – found violations in about 40 percent of the stores inspected. In some cases, pharmacy documents, such as store summaries listing medical and personal information on dozens of patients, were found among the waste, he says.

“The inspections revealed that Safeway was routinely and systematically sending hazardous wastes to local landfills, and was failing to take measures to protect the privacy of their pharmacy customers’ confidential medical information,” says the Alameda County district attorney’s statement. “Upon being notified by prosecutors of the widespread issues, Safeway worked cooperatively to remedy the issue, enhance its environmental compliance program and train its employees to properly handle such waste.”

The case against Safeway spotlights the importance of retail pharmacy chains, hospitals and other healthcare entities properly shredding or “making indecipherable” patient and other consumer personal information before disposing it, Mifsud says.

“There’s a risk of identity theft committed by dumpster divers, and unfortunately by some employees,” he says.

Settlement Terms

According to settlement documents filed in the Superior Court in Alameda County on Dec. 31 – the same day the suit was filed by the district attorneys against Safeway – the $9.87 million in civil penalties and costs Safeway agreed to pay are mainly related to the environmental and unfair business claims against the company. The unfair business claims encompass the violations of California’s medical confidentiality laws, Mifsud says.

Read full article…

What’s behind the dramatic rise in medical identity theft?

October 24, 2014

by   OCTOBER 19, 2014, 11:44 AM EDT

A decentralized U.S. health system, increasing digitization of records, and demand in the black market are fueling a surge in thefts.

An elderly man went to the emergency room after injuring his back. When he got there, the doctor noticed that he also had an infection. He offered the elderly man penicillin, the same medication he received during his last visit to the ER.

The elderly man was confused. This was his first visit to the ER, and he was allergic to penicillin. Why would his records say otherwise?

It soon became clear that someone else had used the elderly man’s health insurance card at the ER to obtain penicillin and a host of other medications. At some point, the elderly man had misplaced his card; after reporting it lost, his insurance company had sent him a replacement with the same number.

This was just one of several harrowing anonymous stories told to the authors of a report by the Medical Identity Fraud Alliance called “The Growing Threat of Medical Identity Fraud: A Call to Action.” In the last five years, the number of data breaches in the medical sector has quadrupled. Last year, for the first time, the medical sector experienced more breaches than any other. It’s again on track to lead in 2014, according to the ID Theft Center. While the health care industry has long suffered fraud by providers or employees fraudulently billing insurers, Medicare, or Medicaid, the medical industry is only just now trying to catch up to the quickly growing threat from hackers.

With the increasing digitization of health information (in the form of electronic health records) and the formation of health exchanges (due to the Affordable Care Act), the trend in medical identity theft is unlikely to abate any time soon. Personal medical information is useful to many different types of criminals, which is why it fetches a higher price on the black market than financial information. The sheer number of targets also makes the medical sector easy prey. Furthermore, technology has come relatively late to the health industry, and data security at health organizations can lag behind. The digitization that accompanies the Affordable Care Act may initially cause a surge in the number of breaches, but some analysts believe it could eventually reduce demand for medical information.

Read more…