Archives

Unencrypted Device Breaches Persist

June 24, 2015

Health Data Breach Tally Shows String of Theft Incidents

By , June 23, 2015.

Unencrypted Device Breaches Persist

Although hacker attacks have dominated headlines in recent months, a snapshot of the federal tally of major health data breaches shows that stolen unencrypted devices continue to be a common breach cause, although these incidents usually affect far fewer patients.

As of June 23, the Department of Health and Human Services’ Office for Civil Rights’ “wall of shame” website of health data breaches affecting 500 or more individuals showed 1,251 incidents affecting nearly 134.9 million individuals.

Those totals have grown from 1,213 breaches affecting 133.2 million individuals in an April 29 snapshot prepared by Information Security Media Group (see Breach Tally Shows More Hacker Attacks).

The federal tally lists all major breaches involving protected health information since September 2009, when the HIPAA Breach Notification rule went into effect. As of June 23, about 52 percent of breaches on the tally listed “theft” as the cause.

Among the breaches added to the tally in recent weeks are about a dozen involving stolen unencrypted computers. Lately, those type of incidents have been overshadowed by massive hacking attacks, such as those that hit Anthem Inc. and Premera Blue Cross.

“Although we’ve seen some large hacking attacks, they are aimed at higher-profile organizations than the more typical provider organization,” says privacy and security expert Kate Borten, founder of the consulting firm, The Marblehead Group. “Attackers know that these organizations have a very high volume of valuable data. But I continue to believe that unencrypted PHI on devices and media that are lost or stolen is ‘the’ most common breach scenario affecting organizations of any size.”

Borten predicts that many incidents involving unencrypted devices will continue to be added to the wall of shame. “Getting those devices encrypted is an ongoing challenge when we expand the requirement to tablets and smartphones, particularly when owned by the users, not the organization,” she says. “We also shouldn’t overlook encryption of media, including tapes, disks and USB storage drives.”

Unencrypted Device Breaches

The largest breach involving unencrypted devices that was recently added to the tally was an incident reported to HHS on June 1 by Oregon Health Co-Op., an insurer.

That incident, which impacted 14,000 individuals, involved a laptop stolen on April 3. In a statement, the insurer says the device contained member and dependent names, addresses, health plan and identification numbers, dates of birth and Social Security numbers. “There is no indication this personal information has been accessed or inappropriately used by unauthorized individuals,” the statement says.

Also recently added to the federal tally was a breach affecting 12,000 individuals reported on June 10 by Nevada healthcare provider Implants, Dentures & Dental, which is listed on the federal tally as “doing business as Half Dental.” The incident is listed as a theft involving electronic medical records, a laptop, a network server and other portable electronic devices.

In addition to the recent incidents involving stolen or lost unencrypted devices, several breaches added to the wall of shame involve loss or stolen paper records or film.

“Breaches of non-electronic film and paper will never end, but at least these breaches are typically limited to one or a small number of affected individuals,” Borten says. Because many of the breaches involving paper or film are often due to human error, “effective, repeated training is essential” to help prevention of such incidents, she says.

Read full article…

Unencrypted Devices Still a Breach Headache

May 13, 2015

The Ongoing Risk Posed by Lost, Stolen Mobile Devices

By , May 12, 2015.

Unencrypted Devices Still a Breach Headache

While hacker attacks are grabbing most of the health data breach headlines so far in 2015, a far more ordinary culprit – the loss or theft of unencrypted computing devices – is still putting patient data at risk.

See Also: PHI Security: The Role of Encryption and Tokenization

Incidents involving unencrypted laptops, storage media and other computing devices are still popping up on the Department of Health and Human Services’ “wall of shame,” which lists health data breaches affecting 500 or more individuals. Among the largest of the most recent incidents is a breach at the Indiana State Medical Association.

That breach involved the theft of a laptop computer and two hard drives from a car parked for 2-1/2 hours in an Indianapolis lot, according to local news website, The Star Press. Information on more than 38,000 individuals, including ISMA employees, as well as physicians, their families and staff, was contained in the ISMA group health and life insurance databases on those devices.

The incident occurred on Feb. 3 while ISMA’s IT administrator was transporting the hard drives to an offsite storage location as part of ISMA’s disaster recovery plan, according to The Star Press. An ISMA spokeswoman declined Information Security Media Group’s request to comment on the breach, citing that there are “ongoing civil and criminal investigations under way.”

A breach notification letter sent by ISMA indicates that compromised data included name, address, date of birth, health plan number, and in some cases, Social Security number, medical information and email address. ISMA is offering those affected one year’s worth of free credit monitoring.

Common Culprit

As of Feb. 27, 51 percent of major health data breaches occurring since 2009 involved a theft while 9 percent involved a loss, according to data presented by an Office for Civil Rights official during a session at the recent HIMSS 2015 Conference in Chicago. Of all major breaches, laptop devices were involved in 21 percent of the incidents, portable electronic devices in 11 percent and desktop computers in 12 percent, according to the OCR data.

Two of the five largest breaches to date on the Wall of Shame involved stolen unencrypted computing devices:

  • A 2011 breach involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of military health program TRICARE.
  • The 2013 theft of four unencrypted desktop computers from an office of Advocate Health and Hospital Corp. in Chicago, which exposed information on about 4 million patients.

Many smaller breaches affecting less than 500 individuals also involve unencrypted computing devices, according to OCR.

Safe Harbor

The thefts and losses of encrypted computing devices are not reportable breaches under HIPAA. That’s why security experts express frustration that the loss and theft of unencypted devices remains a common breach cause.

“It is unfortunate that [encryption] is considered an ‘addressable’ requirement under HIPAA, as many people don’t realize that this does not mean optional,” says Dan Berger, CEO of security risk assessment firm Redspin, which was recently acquired by Auxilio Inc.

Under HIPAA, after a risk assessment, if an entity has determined that encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI, it must implement the technology. However, if the entity decides that encryption is not reasonable and appropriate, the organization must document that determination and implement an equivalent alternative measure, according to HHS.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he’s expecting to see soon an OCR resolution agreement with a healthcare provider that suffered several breach incidents caused by their failure to manage the mobile devices used by their employees on which electronic protected health information was stored or accessed.

Read full article…

Biggest Health Data Breaches in 2014

December 23, 2014

Federal Tally Reveals Latest Trends

By , December 22, 2014.

Biggest Health Data Breaches in 2014

The five biggest 2014 health data breaches listed on the federal tally so far demonstrate that security incidents are stemming from a variety of causes, from hacker attacks to missteps by business associates.

The top breaches offer important lessons that go beyond the usual message about the importance of encrypting laptops and other computing devices to prevent breaches involving lost or stolen devices, still the most common cause of incidents. They also highlight the need to bolster protection of networks and to carefully monitor the security practices of business associates.

The Department of Health and Human Services’ Office for Civil Rights adds breaches to its “wall of shame” tally of incidents affecting 500 or more individuals as it confirms the details. A snapshot of the federal tally on Dec. 22 shows that 1,186 major breaches impacting a total of nearly 41.3 million individuals have occurred since the HIPAA breach notification rule went into effect in September 2009.

According to the tally, the top five health data breaches in 2014 affected a combined total of nearly 7.4 million individuals.

The largest breach in 2014 was the hacking attack on Community Health System, which affected 4.5 million individuals. In that incident, forensic experts believe an advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the hospital chain’s systems.

The Community Health Systems incident is also the second largest health data breach since the enactment of the HIPAA data breach notification rule in 2009. The largest breach is a 2011 incident involving TRICARE, the military health program, and its contractor, Science Applications International Corp., which affected 4.9 million individuals.

Business Associate Troubles

The second largest HIPAA incident in 2014 implicated a business associate. That breach, affecting 2 million individuals, involved an ongoing legal dispute between the Texas Health and Human Services Commission and its former contractor, Xerox, which had provided administrative services for the Texas Medicaid program. The breach arose when the state ended its contract with Xerox. The vendor allegedly failed to turn over to the state computer equipment, as well as paper records, containing Medicaid and health information for 2 million individuals.

However, in September, following a court hearing, the state and Xerox reached an agreed order for the vendor to retain the disputed documents and data until a hearing in January. Texas HHSC in a statement tells Information Security Media Group that the state “believes there was a low risk that client information was compromised and that the information will be protected” by Xerox as the court case continues.

Another top five health data breach in 2014 involved both a business associate and a more familiar culprit – stolen unencrypted computing devices. That Feb. 5 incident involved a vendor that provided patient billing and collection services to the Los Angeles County departments of health services and public health. The theft of eight unencrypted desktop computers from an office of Sutherland Healthcare Services – L.A. County’s vendor – affected more than 342,000 individuals, the federal tally shows. Initially, that breach was believed to have impacted about 168,000 individuals, but the figure was subsequently revised.

Unsecure Files

The fourth largest 2014 breach on the federal tally involved Touchstone Medical Imaging, a Brentwood, Tenn.-based provider of diagnostic imaging services, which became aware in May “that a seldom-used folder containing patient billing information relating to dates prior to August 2012 had inadvertently been left accessible via the Internet. The breach affected more than 307,000 patients.

Read full article…

TD Bank to Pay Second Breach Penalty

December 9, 2014

Massachusetts Cites Bank for Tardy Notification

By , December 8, 2014. Follow Jeffrey @gen_sec

TD Bank has agreed to a second state settlement tied to a data breach involving the loss of two backup tapes that may have exposed personally identifiable information for 260,000 of the bank’s 8 million U.S. customers.

The $625,000 settlement with the Massachusetts attorney general is separate from an earlier, $850,000, nine-state settlement (see:TD Bank Agrees to Breach Settlement). Massachusetts pursued its own investigation because the breach occurred in that state and affected a large number of its residents, a spokesperson for the attorney general tells Information Security Media Group.

The Latest Settlement

In the Massachusetts settlement, Attorney General Martha Coakley said the breach exposed the personal information of more than 90,000 Massachusetts customers.

Coakley alleged that TD Bank violated the state’s data breach notice law by delaying providing notice of the March 2012 incident until October 2012. Under Massachusetts law, breached entities are required to provide written notice “as soon as practicable and without unreasonable delay.”

“Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost,” Coakley says.

TD Bank, in a statement, says it has been continually enhancing its technologies and processes to better protect the personal information of its customers. “This agreement highlights our efforts to evolve our security controls to further benefit our customers,” says Judith Schmidt, a TD Bank spokesperson. “TD Bank has settled with the attorneys general in an effort to resolve this issue.”

Under the Massachusetts settlement, TD Bank will pay $325,000 in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a fund administered by the attorney general’s office to promote education or to fund local consumer aid programs.

In addition, TD Bank has agreed to give prompt notice of future data breaches and to comply with Massachusetts data security regulations, which mandate that organizations encrypt personal information stored on back-up tapes; require third-party service providers to implement and maintain appropriate security measures; and review the security practices and procedures of third-party providers entrusted with personal information.

Backup Tapes Lost

TD Bank reported in October 2012 that two unencrypted backup tapes, which contained 1.4 million files on 260,000 bank customers nationwide, were lost (see: TD Bank Breach Response Questioned). The bank, in its breach notification letter, said the tapes, which contained personal information, were misplaced in late March of 2012 while in transit to one of the bank’s Massachusetts locations.

The information on the tapes may have included names, addresses, Social Security numbers, account numbers and/or other data elements, such as dates of birth or driver’s license numbers, the bank says. As a result, TD Bank offered affected customers 12 months of free credit monitoring services, although the bank advised its customers to monitor their accounts for 24 months.

View article source...