Over the last 3 weeks, 3 high-volume, high-profile data breaches have occurred which will affect over 1.3 million healthcare consumers. These 3 most recent large volume security breaches came from three different areas of security vulnerability: at South Carolina Medicaid the breach resulted from internal misconduct and inappropriate access by an employee, at Utah Medicaid the breach resulted from malicious activity by a hacker, and at Emory, the breach resulted from lost backup tapes.
While the introduction of ARRA in 2009 introduced heightened enforcement, increased reporting requirements and higher penalties for security breaches, the call for attention to security matters has clearly escaped sufficient attention among many healthcare organizations' investment priorities. Healthcare providers clearly need more comprehensive security measures, and cannot afford to wait to make investments in all areas of security, in order to avoid the multiple penalties associated with security failures.
3 high profile, high volume security breaches occurred in the past 3 weeks, compromising information on and putting over 1.3 million patients at risk in total:
- On April 19, the South Carolina Department of Health and Human Services (SCDHHS) announced that an employee inappropriately transferred files on 228,435 Medicaid beneficiaries to his personal email account. The information transferred included names, addresses, phone numbers, birth dates, and Medicaid ID numbers. In 22,604 cases, Medicare numbers, which include social security numbers, were also linked to the names. SCDHHS claims that all devices that stored the information have been impounded and that there was no transmission of the information, but will offer identity theft protection services for "peace of mind" for the victims. More information at http://www.myscmedicaid.org/
- Utah's Medicaid security breach is far larger and more disturbing than South Carolina's, as the potential for fraud and malicious use of the information is quite high. On March 30, the Utah Department of Health experienced a cyber attack from an hacker after a configuration error at the password authentication level allowed the hacker to circumvent security. Up to 280,000 people had their social security numbers stolen, and up to 500,000 others may have had other information (name, date of birth and addresses) stolen; the breach is estimated to affect 27% of Utah's population. The breach included Medicaid recipients as well as other individuals who had inquired about eligibility. The department is warning victims of potential fraud and adult victims will receive credit monitoring for one year. The breach also included Children's Health Insurance Program beneficiaries, and these children will need to remain in a high fraud risk monitoring database until they reach age 17. More information at http://www.informationweek.com/news/healthcare/security-privacy/232900128
- In the private provider sector, Emory Healthcare in Atlanta announced on April 18 that it had lost or misplaced 10 backup disks containing information for 315,000 patients that were kept in an unlocked cabinet. The data included information on surgical patients treated from 1990-2007 at Emory University Hospital and Emory Clinical Ambulatory Surgical Center. 228,000 of the patient files included social security numbers, while others had names and clinical data compromised. The breach included data on John Fox, the president and CEO of Emory Healthcare, who was among the surgical patients during the time period in question, according to the Atlanta Journal-Constitution (http://www.ajc.com/news/patient-data-missing-for-1421620.html). The patients affected will receive one year of credit monitoring services.
These 3 breaches came from 3 different sources, and affected over 1.3 million individuals ranging from children, to Medicaid beneficiaries, and even extending to a health system CEO. The scope, volume and severity of these breaches highlight the need for a multi-pronged approach to security by healthcare organizations, as network security, intrusion detection and prevention, physical security and internal threats all need to be carefully assessed and considered.
What is your biggest security concern? What security measures will your health system be investing in in 2012? Post questions to our forum or speak to an analyst directly; feel free to contact me at email@example.com, or on Twitter at twitter.com/JudyHanover.