Archives

Optical Care Chain Loses a Server, Again

December 5, 2014

Missing Computer Contained PHI for 48,000 Customers

By , December 2, 2014. Follow Marianne @HealthInfoSec

For the second time in recent weeks, Visionworks Inc., has revealed that one of its stores misplaced a database server, apparently due to improper disposal.

In a Nov. 21 statement, Visionworks, a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., revealed that a database server at a store in Jacksonville, Fla., containing “partially unencrypted protected health information” belonging to approximately 48,000 customers had been mistakenly discarded after it was replaced on June 2 during scheduled computer upgrades.

Last month, the chain announced that a store in Annapolis, Md., lost a database server containing patient information in June while it was being replaced during a store renovation (see Lost Server: What Went Wrong?). The lost Maryland computer, which contained data on 75,000 customers of that store location, is believed by Visionworks to have been discarded by mistake in a landfill.

Preventive Steps

The Highmark spokesman declined to comment on steps the company is taking to prevent the loss of more servers from its stores. “Visionworks is in the process of fully encrypting all servers. The process should be complete within the next six months,” he says.

While encrypting all data on the lost computer could have potentially prevented the breach at both store locations, “Server hard-drive encryption in an optometrist store is very rare,” notes Kerry McConnell, a senior consultant at security services firm, Tom Walsh Consulting.

Security experts say the back-to-back incidents spotlight the need for organizations to have solid inventory management and data disposal practices, and to ensure that staff are aware of those policies.

“In our experience doing HIPAA risk assessments, we often see storerooms or locked ‘cages’ of older used equipment,” says Dan Berger, CEO of security services firm Redspin. “We often point this out as a vulnerability for precisely the reason that occurred at Visionworks. Once taken out of service, it is very easy to forget what is on each server or workstation,” he says. “That sets the stage for an inadvertent discarding of a device that contains lots of confidential data.”

Berger stresses that having policies safeguarding PHI even when it’s no longer needed is mandated under HIPAA.

“We cite the HIPAA Security Rule, which requires that covered entities and business associates implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored,” he says.

Read full article…

Privacy & Security

November 20, 2014

5 ways health data breaches are far worse than financial ones

Tom Garrubba, Senior director, Santa Fe Group and Shared Assessments Program | November 10, 2014

Remember that song Janis Joplin made famous “Piece of My Heart?” I do, and it reminds me of the fundamental difference between financial and healthcare data breaches.

The breach of personal financial information causes stress — recovering missing funds, paying late fees or interest, worrying about credit worthiness. Ultimately, however, a person’s financial identity can be fully restored.

Not so with medical identity. Healthcare data breaches have a much more personal, longer lasting, and potentially deadly impact.

Victims are at the mercy of those who, through fair means or foul, have control of their protected health information (PHI). And several factors contribute to the costlier, deadlier effects of healthcare data breaches over financial ones.

1. High volume of healthcare data breaches.
2013 statistics from the Identity Theft Resource Center were reported in a recent Fortune.com article: 44 percent of all breaches were healthcare related, while financial service breaches were just 3.7 percent (the first time that healthcare industry breaches exceeded all others). Healthcare is again on track to lead in 2014, also according to the Identity Theft Resource Center—a dubious distinction, to be sure.
….

2. The difficulty in restoring medical identities. Victims of healthcare data breaches have fewer resources to help them.
….

3. Ignorance of the deadly consequences. Individuals don’t realize the devastating impact associated with a breach of their health records. What was presumed private—physical, mental, and prescriptive health history — could be made public and used inappropriately. This data could appear anywhere at anytime, online, in the form of cyberbullying or worse, blackmail.
….

Read full article