Must Privacy Breaches Require "IT Gymnastics"?

A privacy breach of diagnostic images and personal information on 500 patients was reported by a Canadian hospital.

The breach was the result of a staff physician sharing his username and password with a physician not affiliated with the hospital. While physicians often share information with others in the course of providing care there are regulations that must be complied with to protect patient confidentiality. In this case it seems regulations were not followed and the Information and Privacy Commission of Ontario is investigating.

"The privacy breach was discovered in early April and it took multiple gymnastics from an IT perspective to be able to come up with a list and determine to what extent and when it began."
- Andree Robichaud, CEO Thunder Bay Regional Health Sciences Centre

The hospital CEO noted "multiple gymnastics from an IT perspective" were needed to determine when the breach began and its extent. IT gymnastics can be eliminated by using Identity and Access Intelligence (IAI), SaaS analytics services.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Hospital Apologizes for Data Breach - www.seclists.org, 05/28/2013

Share

Hospital Worker Steals 1,000 Patient IDs

Federal law enforcement alleges that hospital worker Curtis Fullwood stole the identities of more than 1000 psychiatric patients.

Mr. Fullerton's job was to assist mental patients find work but he has been accused of taking their identity information from hospital computers and then filing fraudulent tax returns.

"Fullwood obtained patients' information by illegally using computers at the Pembroke Pines psychiatric hospital to steal the identities of people who were admitted for treatment." - SunSentinel

It is unclear if the hospital knew about the identity thefts or if they first learned about the patient privacy breach from federal law enforcement. Healthcare organizations can utilize low-cost on-demand SaaS analytics services to proactively detect theft of patients' private information.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Psychiatric patients' IDs stolen by hospital worker, feds say - Sun-Sentinel, 06/11/2013

Share

Private Rx Info Breach at State Database

Florida's E-FORCE program was "to encourage safer prescribing of controlled substances and to reduce drug abuse and diversion within the state" but as some feared it has put private health data at risk.

The ACLU of Florida said “The private medical information of more than 3,000 Floridians — namely what prescription drugs they take, the dosage, their date of birth, address and the name of the pharmacy that dispensed the prescription, ended up in the hands of third parties who simply have no legal right to know which law-abiding citizens are taking which prescribed medications."

"None of the 3,300 individuals involved either gave their consent or was notified of the release. The violation only became known when one individual unrelated to the criminal investigations became aware of the privacy breach."
- FloridaWatchdog.org

Supposedly the E-FORCE program must comply with federal and state privacy laws and regulations; if this is the case then an "accounting of disclosures," a report of what patient data and to whom it was released, should be available.

This type of tracking and reporting is now fast and easy to obtain using low-cost on-demand SaaS analytics services.

Download a white paper on accounting of disclosures of medical records. Learn how to identify to whom private patient was disclosed - with no hardware and no on-site software.

Sources:
(a) Floridians see private Rx info leaked from state database - www.FloridaWatchdog.org, 06/13/2013

Share

Prime Healthcare Violates Patient Privacy, Fined $275K

Prime Healthcare Services has agreed to pay $275,000 to settle a federal case alleging violation of patient privacy by the CEO of the Shasta Regional Medical Center (owned by Prime).

Additional fines related to this matter were imposed by the California Department of Public Health (DPH), $95,000 for violating patient confidentiality, plus $3,100 for not reporting the breach to the state and the patient in a timely manner.

"The federal Office for Civil Rights, which investigated the matter, declined to comment in detail on the settlement until the company made the $275,000 payment."
- Los Angeles Times, Money & Co., 06/11/2013

Breaches of patient privacy by "insiders" can be detected using low-cost on-demand SaaS analytics services.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Prime Healthcare Pays $275K To Settle Federal Patient Privacy Case - www.CaliforniaHealthline.com, 06/12/2013

Share

2013 Breach Cost Study: Healthcare Highest at $233/Person

The 2013 Cost of Data Breach Study, conducted by the Ponemon Institute, found the average global cost of a data breach was $136 in 2012, a $6 increase over 2011. For financial services and healthcare organizations, which hold more personally identifiable information, the cost was $215 and $233 per person, respectively. For example, $233,000 if 1,000 patient records are inappropriately accessed at a healthcare facility.

Mr. Ponemon said that regulations initially mean higher breach related expenses but eventually could save companies money.

"Healthcare and financial services companies maintain more personally identifiable information on their servers than enterprises in other sectors."
- Larry Ponemon, Ponemon Institute

An approach to data breaches that can save organizations money initially as well as long term is low-cost on-demand SaaS detection analytics services.

Download a white paper on data privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Regulations' Impact on Data Breach Costs - www.BankInfoSecurity.com, 06/11/2013

Share

Drug Bust Uncovers Patient Privacy Breach?

A drug bust recovered personal information on 4,500 Sutter Health patients; patients' names, Social Security numbers, birthdates, genders, addresses, zip codes, marital status, employer names, and home/work phone numbers may have been exposed.

"..cannot yet disclose how or where the information was obtained because of the ongoing investigation ." - Stacey Wells, Sutter Health

As this breach was just announced we'll post more details as they become available. However, it seems the hospital was unaware of the breach until law enforcement brought it to their attention. Organizations can now proactively detect privacy breaches with low-cost on-demand SaaS analytics services.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Sutter Health Acknowledges Security Breach - eSecurityPlanet.com, 6/10/2013

Share