Saturday, December 31, 2011

Court Rules for Patient in Medical Privacy Suit

A woman who was awarded $100,000 in compensation for a violation of her medical privacy will get a chance to seek more money, the 8th Circuit ruled.

Jane Doe sued three doctors over a newspaper article about the doctors which contained information that violated her medical privacy

Her suit resulted in an award of $100,000 but her follow up suit claimed that the court erred in excluding testimony that would have resulted on a larger judgement.

In a split decision this week, a three-judge panel of the 8th Circuit agreed with Doe.

For more see the Courthouse News Service

Friday, December 30, 2011

Insurance Privacy Breach Leads to Arson, Shootings

A former employee of Vancouver-based Insurance Corporation of British Columbia (ICBC) is being investigated in connection with shooting and arson incidents in the Vancouver area. According to the RCMP, the former employee is a woman who had worked for ICBC for 15 years. She is alleged to have accessed the information of people associated with the Justice Institute of British Columbia, whose homes were targeted for attack. A link between the employee and organized crime elements is under review.

Police made the connection to the Justice Institute in September 2011 and announced that 10 people had been victimized. That number has since grown to 13 and police are trying to determine if there have been other incidents.

It is believed that the woman accessed the personal information of 65 individuals. Further reports from CBC indicated the woman was fired in August 2011 for unspecified reasons. Because she was fired before the investigation linked her to the attacks, it’s not clear whether unauthorized access played a role in her departure. If her access were not properly terminated, she could have continued to disseminate personal information after her firing.

ICBC has taken unspecified measures to prevent similar privacy breaches in the future.
Regular audit of access to confidential data — even by employees with approved access — is a necessary component of effective defense against privacy breaches. Download a white paper on privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of privacy and security, even by authorized users — with no hardware and no on-site software.

Follow Veriphyr on Twitter (@Veriphyr) for more privacy breach news!

Saturday, December 24, 2011

Government Workers Fired for Data Privacy Violation

Five government employees were fired for inappropriately accessing sensitive government computer applications and selling personal details to debt collection agencies. Two more are under investigation as part of a national review which could result in prosecutions.

The five employees admitted breaching the government's strict privacy code. As a condition of employment they had signed the Code of Conduct and a declaration acknowledging their responsibility to protect privacy.
"There is never any excuse for accessing a client's file without a legitimate work-related reason." - Janet Grossman, Work and Income
The Privacy Commisionaer has been informed and each client whose privacy has been breached is being contacted individually.

The government said it has a zero tolerance for staff who breach the privacy of clients. To insure this the government's Integrity Unit regularly conducts time consuming reviews the logs of user access and activity to identify violations.
Are you auditing violations of privacy by your employees? Download a white paper on privacy breach audits. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
(a) WINZ staff under fire -, December 24, 2011

Friday, December 23, 2011

The Costs of a Privacy Breach: Are You Ready?

In “First-Hand Experience with a Patient Data Security Breach,” the CEO of an implementation services company discusses the impact of a data breach on his company and the patient practices it serves, and the resultant costs. While the loss stemmed from the loss of a laptop rather than from insider actions, an analysis of the response process and the expenses incurred provides rare insight into an effective breach response program “under fire,” as well as how costly breaches of PHI can be. For a data breach involving the compromise of over 14,000 records (which ultimately resulted in the PHI of 1,000 patients placed at risk), the total cost of breach investigation and response was a staggering $288,000. After legal fees, the single largest component of the cost was staff time, estimated at $125,000. The diversion of staff time because of the manual processes needed to determine the extent of damage added significantly to the total.

It seems that many health care providers would find themselves financially exposed in the event of a serious data breach. cites a survey indicating most healthcare organizations are not ready for a privacy and security audit:
"HCPro's survey results show that only 17% of responding organizations said they are fully prepared for an OCR privacy and security compliance audit. "It is very hard to get your staff to understand how important this is," one compliance officer said. "
Through our own research and conversations with health care executives, we have found that a key best practices for curbing intentional privacy breaches involves:
  • effective training in privacy standards
  • explicitly communicating the sanctions for misbehavior
  • ensuring staff know that the means of audit and detection are reliable
Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
(a) First-Hand Experience with a Patient Data Security Breach -, December 3, 2011
(b) Most Providers Unprepared for HIPAA Audit - HealthLeaders Media

Friday, December 16, 2011

Risk Indicators of Insider Threats

Dr. Eric Shaw, and Dr. Harley Stock of the Incident Management Group, have published “Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall,” a report on the warning signs and behaviors indicating the likelihood of insider attacks on enterprise IP.

While espionage by foreign governments and attacks by hackers grab the headlines, the vast majority of data breaches and IP theft are perpetrated by insiders. Unfortunately, most IT security budgets are allocated disproportionately to the more sensational (but less likely) attack vectors. This may be explained by the fact that technical controls over insider abuse of access are difficult to enforce – it may not be easy to tell the difference between legitimate and illegitimate access to sensitive data, and detection usually requires tedious manual review of activity logs and comparison with approved rights.

In the vast majority of cases, an enterprise has already captured the evidence of the attack in activity logs but lacks the tools or expertise to reveal what has happened. As a result,
"…insiders use technical means to steal IP, but most theft is discovered by non-technical employees. The majority of subjects (54 percent) used a network—email, a remote network access channel or network file transfer to remove their stolen data. However, most insider IP theft was discovered by non-technical versus technical employees… Sometimes the company involved was unaware of the theft until law enforcement notified them after discovering it during a related investigation."
Even worse, some thieves recruit their co-workers to participate in their schemes. If identifying a single perpetrator is challenging, uncovering “fraud chains” involving multiple insiders is extraordinarily difficult with traditional log review methods. Applying advanced data analytics to reveal behavioral patterns of multiple insiders offers the best defense against complex inside attacks.

Insider attacks are often presaged by other violations of policy. As the report states, "Employees with a history of previous rule violations elsewhere are at even greater risk for future violations."

Verizon, in their 2010 Data Breach Investigations Report, made the same observation. Minor breaches of security often come before a major insider attack. We would recommend a review of unusual patterns of access indicating reconnaissance on critical systems, applications, networks, or sensitive records.

At Veriphyr, we have written at length about insider attacks in this blog. For more information in a health care context, we have published "From Insider Abuse to Insider Accountability,” which describes the problem of insider abuse and how data analytics can be applied to reveal abusive patterns of access that manual auditing misses, while relieving compliance, privacy, and IT staff of the need for installing and maintaining new hardware or software.

More about Veriphyr:

More on insider attacks: get our RSS feed, and follow us on Twitter (@Veriphyr)!

Sunday, December 11, 2011

Medical Records are Worth $50 Each on the Black Market

A single patient's medical record is worth $50 on the black market, according to a panel of cyber security specialists at the Digital Health Conference held on December 1st in New York city.

One reason for the high value is that a person cannot cancel their own medical history, where as they can always cancel a stolen credit card number. This makes it much harder to prevent stolen medical data from being used by criminals.

Medical record data is worth $50 on the black market. Much more than Social Security numbers ($3), credit card information ($1.50), date of birth ($3), or mother's maiden name ($6).

Stolen medical data -- such as electronic health records or insurance information -- is lucrative because thieves use it to submit false or inflated medical claims, buy prescription medication, or pay for treatment - all at the victim's expense.

The panel of experts pointed out that impermissible use ofr patient privacy at healthcare and insurance companies are an increasing source of stolen medical data - this includes data lost or stolen by insiders such as healthcare or insurance workers.

The panelists explained how impermissible use of medical data is detectable by analyzing activity in electronic health record applications and other clinical and financial computer systems.

Learn how Veriphyr uses Structural Analytics to detect "impermissible use" of patient data in clinical and business applications by employees, contractors, and third parties.

(b) Digital Health Conference - Digital Health Conference, December 1-2, 2011
(a) DHC: EHR Data Target for Identity Thieves - MedPage Today - 12/07/2011

Friday, December 9, 2011

VA Hospital Employee Charged with Identity Theft

An employee at a VA medical center in Miami is alleged to have sold personal information of disabled veterans using her privileged access to hospital systems. The information was later used to open unauthorized credit card accounts at Citibank.

The employee faces charges connected with the theft and sale of the personal information of at least 22 military veterans. Kendrick is alleged to have used her position in the medical center’s travel benefits department to obtain names, addresses, dates of birth, and Social Security numbers, which she in turn transferred to an accomplice who opened the credit card accounts.

The fraud was discovered after the VA Office of Inspector General received complaints regarding the fraudulent accounts.

Most attention in the press on the security of patient information centers on electronic health records. However, patient billing information is also vulnerable, and the systems that hold billing information typically do not have any built-in audit capabilities. An effective defense of patient privacy focuses on tracking access to all systems and applications holding personally identifiable information to ensure that sensitive information is accessed only by authorized personnel and only in accordance with their job function. Problem access needs to be identified and remediated quickly. The challenge for health care providers is to do this with limited personnel and budgets, and without introducing new software or hardware into the IT environment.
Download a white paper on data breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.

Subscribe to our RSS feed and follow us on Twitter (@Veriphyr)!

Saturday, December 3, 2011

#1 Secuity Priority in Healthcare

"It's becoming increasingly clear that the age of strictly voluntary compliance with respect to HIPAA has come to an end, and the threat of expensive settlements and corrective action plans with federal and state regulators is becoming an increasing reality," - Adam Greene, former official at HHS/OCR (Department of Health and Human Services' Office for Civil Rights)

"There are various ways to do auditing, but it's important to do smart auditing rather than just a completely random sample. There are certainly tools available to do algorithms that may hone in on potential problem areas." - Adam Greene

"small breaches also are sometimes the much harder ones to catch. When you've got a large breach that's readily apparent much of the time, whereas often times it requires proactive monitoring to find all the small breaches that are going on in the organization, and that's where I think organizations aren't really putting their resources. They're simply unaware of the volume of small breaches that may be happening."- Adam Greene

Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.

Monday, November 28, 2011

Police Probe Medical Records Stalker

Following patient privacy breaches affecting several hospitals in the Lothian region of Scotland, in which dozens of health care staff were disciplined, Scottish police are now investigating a case in which a patient was stalked by a worker.

A janitor working at Edinburgh Royal Infirmary, one of Scotland’s largest hospitals, has been accused of contacting a patient via email and via her Facebook account. The janitor has admitted using hospital computers to access the woman’s medical records, which he used to obtain her contact information and pursue her online.

The day after receiving treatment for a broken hand, she received a Facebook friendship request with the accompanying message: “Btw if ur wonderin who i am, i was checkin u out yest :) ha hows the hand?X”

In all the woman received five messages, including one pleading with her not to pursue an investigation.
“I was really upset when I read the e-mail,” she said. “I didn’t know who he was, what he was capable of, or whether he also knew my address and telephone number. I didn’t know if he was just going to turn up at the house. It’s just wrong in so many ways.”
Chairwoman Margaret Watt of the Scottish Patients Authority called for an investigation: “Workers should not have access to patient files…This has hugely overstepped the mark. It means there is no safety if people like this can go and read files.”
If you're required to investigate a breach of patient privacy, how long will your personnel be tied up doing the work? Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
Police probe hospital patient privacy breach - The Scotsman, November 25, 2011

Stay updated on privacy issues: get our RSS feed and follow us on Twitter (@Veriphyr)!

Friday, November 18, 2011

16 Suspended for Snooping on Co-Worker

Sixteen workers at the New York State Office of Children and Family Services have been suspended after allegations they snooped into the confidential files of a co-worker.

The worker, Kristen Trapalis, had been arrested in May on charges of marijuana possession and child endangerment, but the charges were later dropped. OCFS officials refused to identify the specific information the woman’s co-workers had been looking at, but it’s believed that they were accessing a restricted register of child abusers to see if Trapalis had been added to it. If the allegations are true, the employees face sanctions ranging from loss of pay to termination of their employment.

Misuse of access to confidential information beyond what is needed for an employee’s job function is spreading across multiple industries: government (particularly tax authorities), health care, and financial services have all reported employee access violations this year. Earlier, we blogged that employee snooping of confidential medical records of their co-workers was the leading cause of insider breaches among health care providers we surveyed.
Regular audits of access to sensitive information deter employee misuse of access. Learn how Veriphyr identity and access intelligence services streamline detection of insider abuse of access rights and deter data snooping and theft by insiders.

Source: Snoop Case Snares 16 State Workers - Albany Times-Union, November 15, 2011

Thursday, November 17, 2011

Report: Government Insider Breaches on the Rise

A report conducted by Telus and the University of Toronto's Rotman School of Management indicated that reported breaches of confidential information by Canadian federal and provincial insiders rose in 2011. The study found that forty-two per cent of breaches in government were perpetuated by insiders either misusing authorized access or violating access controls entirely.

Violations of access control by insiders are among the most difficult types of attack to detect. This is so because of the need to manually review mountains of log data and compare actual usage with authorized permissions to detect violations of policy. Worse, users may have accumulated unnecessary or obsolete rights as a result of job changes. The personnel who perform the analysis may not have the knowledge of what is legitimate business access and rely on business leaders for review. The result is lots of time spent chasing false positives – it’s no wonder that most businesses neglect this type of review.

Veriphyr Identity and Access Intelligence is a SaaS application that automates the review of user access activity with rights without the need to deploy hardware or software on-premises. We take uploads of raw, unfiltered, and unmapped exports of your directory rights, access control lists, and system and application activity logs to automatically correlate identities, rights, and activity to detect violations of access policy.

Veriphyr delivers reports on policy violations that are quickly and easily grasped by non-technical business leaders.

Visit Veriphyr to learn more. Other vendors deliver technology; Veriphyr delivers answers.


Friday, November 11, 2011

Survey: Regulatory Compliance is Top Data Security Job for Health Care

HealthcareInfoSecurity has published the results of its inaugural "Healthcare Information Security Today" survey, sponsored by Experian and Diebold. The report casts light on health care providers' top information security trends, threats and priorities. The number one data security priority? Improving regulatory compliance. This is not surprising, as we previously wrote about HHS' Office of Civil Rights expanding audits of HIPPA compliance ("OCR Begins HIPAA Compliance Audits")
"When I speak with business leaders about data security, many tell me that protecting sensitive data is a top priority but can't say how it's being done." - Ozzie Fonseca, Director, Experian DBR
Highlights of the top data security priorities include:
  • 63% - improving regulatory compliance
  • 49% - preventing and decting internal breaches
  • 46% - investing in and improving audit logging
51% of respondents indicated that their ability to meet the requirements of the proposed Accounting of Disclosures Rule was either poor, indadequate, or needing improvement.

The results mirror what we learned in our own Veriphyr 2011 Survey of Patient Privacy Breaches, which we released in September. In our findings, we revealed that over 70% of health care providers surveyed reported one or more breaches of patient privacy in the past year. Insider abuse of privileges to snoop on medical records was the leading cause of privacy violations.

"The State of Healthcare Information Security Today" -, November 2011

Want to stay updated on data security issues in health care? Subscribe to our RSS feed!

Wednesday, November 9, 2011

OCR Begins HIPAA Compliance Audits

Six months ago, we blogged in our post, “More Hospital Audits to Find HIPAA Security Rule Violations,” that the Department of Health and Human Services Office for Civil Rights would step up their enforcement activity in response to a critique of HIPAA enforcement by the Office of the Inspector General.

As expected, OCR announced today that it will begin pilot audits, including site visits, this month at 20 covered entities to test compliance with HIPAA compliance and security rules, and that testing would expand to include 150 entities by the end of 2012. Any covered entity, regardless of size, is eligible for inclusion in these audits (business associates will be covered in future audits).

"Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem." - Department of Health and Human Services.

If you've been putting off a review of your security and compliance posture with respect to HIPAA, now is a good time to consider your response to an audit notification. Some steps to include in a review may include:

  • Taking an inventory of PHI wherever it resides -- all applications, systems, and devices, including end-user devices such as iPhones and iPads.
  • Reviewing access control policies to ensure that access to applications and systems holding PHI meet the standard of least privilege. Is access limited only to users with a need to know and only as necessary for their job function?
  • Auditing not only access to PHI, but also modifications and deletions. Do applications and systems log the information necessary to conduct an audit? Can you retrieve logged data in a timely manner?
  • Encrypting data at rest and in transit.

Of all the internal controls over PHI, auditing may be the among the most important yet usually receives short shrift. The sheer number of applications, systems, employees, and medical records may prove daunting. Most providers only have the headcount to audit a small portion of activity: access to records of VIPs, employees, friends or relatives, and a small sample of the rest of the patient record population. Compliance and privacy personnel may need to manage an audit console for each individual application or system, and event logging may be incomplete or misconfigured.

Demands on compliance and privacy personnel to prove their organizations' compliance with HIPAA privacy and security requirements will only increase. There is a need to provide auditing and reporting on access to systems holding PHI in a way that business managers and executives can quickly understand and that does not tax an already overworked compliance staff. The verification process should be made more effective and more efficient by making better use of data the organization already collects. The process should be improved without adding more hardware or software and by replacing manual activity whenever possible.

Veriphyr is a new SaaS Identity and Access Intelligence service that improves the use of data that you're already capturing. There's no need for new on- premise equipment or software and no burden on your IT, compliance, and privacy staff. Veriphyr accepts raw identity, privilege, activity, and business data from any source, in any format (including EMR/EHR formats), even if the data is incomplete or damaged.

Veriphyr's analytics technology correlates user activity with user identities and rights to give you a complete picture of access both to patient records and to any application, database, or network in your IT environment.

Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.

Source: OCR HIPAA Audit Program - U.S. Department of Health and Human Services

Did you like this article? Subscribe to our RSS feed, and click below to share!

Tuesday, October 25, 2011

ACP Recommends Privacy Safeguards for Patients

The American College of Physicians (ACP) has issued a position paper, "Health Information Technology and Privacy," which argues for restrictions on the sharing of patient data, including restrictions on the sale of patient data to third parties. At the same time, the ACP is concerned that physicians not be burdened with excessive regulatory restrictions on uses of patient data that inhibit the sharing of medical data for treatment purposes or blunt the adoption of electronic health record (EHR) technology. In the words of the ACP:

"A balance needs to be achieved between the need for complete, accurate, and available medical records and the requirement that all protected health information be secure and confidential to serve the best interests of the patient."

While the ACP agrees that patients should have the right to know about disclosures of their health information, health care providers should be able to put reasonable constraints on patient rights:

"Providers should be permitted a reasonable period to comply and to charge the patient a fee that is based on the cost of providing the information."

A few months ago, we wrote about California's effort provide patients with an audit history of modifications and deletions, as well as access, to their medical records. The growing initiative to provide patients with an audit history of access to their health information, spearheaded by HHS and several states, will provide a challenge to health care compliance and privacy officers already taxed to keep up with violations of patient privacy.

To cope with the emerging reporting challenges, and to minimize provider workload and costs, health care providers can turn to a new generation of data analytics applications that import raw data from the conventional EHR systems and analyze patient record transactions in ways not previously possible. These new SaaS-based analytical intelligence solutions provide health care compliance and privacy personnel the ability to easily adapt to new reporting requirements imposed by changing regulatory requirements without diverting IT personnel to installation, configuration, and custom development of site-deployed software.

Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
(a) Health Information Technology and Privacy - American College of Physicians, July 2011

Want updates on patient privacy issues? Subscribe to our newsfeed and follow us on Twitter (@Veriphyr)!

Wednesday, October 19, 2011

SEC Issues Cybersecurity Reporting Guidance

Assessment of InfoSec Risks Also Mandated

Following a spate of high-profile data and privacy breaches afflicting publicly-traded companies, the SEC has issued "CF Disclosure Guidance: Topic 2." This Guidance describes factors that influence what and when to disclose concerning incidents and risks of incidents. Disclosures may include:
  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences

  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks

  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences

  • Risks related to cyber incidents that may remain undetected for an extended period

  • Description of relevant insurance coverage
The Guidance also requires registrants to report conclusions on the effectiveness of disclosure controls and procedures. Specifically, "management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective." Reading between the lines, management should assess whether deficiencies in the ability to detect cybersecurity incidents, whether from external threats or from insiders misusing approved access rights, have an impact on the effectiveness of disclosure controls.

A well-balanced portfolio of internal controls encompasses both prevention and detection of cybersecurity incidents (both internal and external), in order to reduce operational and reporting risk. Veriphyr Identity and Access Intelligence is the first application to detect enterprise user access vulnerabilities with a hosted, on-demand delivery model, not with site-deployed software or hardware. Veriphyr analyzes identities, activity, and privileges to expose access weaknesses that enable insiders and intruders to capture, leak, or alter data through breach of systems, applications, databases, and networks.

Click below to share this article and subscribe to our newsfeed!

Tuesday, October 4, 2011

Gartner - "Identity & Access Intelligence Comes Into Its Own"

Gartner's Earl Perkins has an insightful posting today on the adoption of Identity and Access Intelligence in the enterprise. His thesis is that enterprises are moving to adopt a "formal security and IAM ‘intelligence’ practice" as a product or service.

He points out that "as larger and more sophisticated IAM shops evolved their practice, they realized that without having a continuous stream of intelligence available to them from the processes IAM was involved in, they would be unable to answer important questions regarding matters related to forensics (e.g. detecting and preventing fraud during the access process) or compliance (e.g. providing detailed reports on meeting regulatory requirements as required by government and policy)."
"The real value that IAM can provide to the business is in the intelligence it generates and owns about identity and access activities and events, not in the control it provides for access." - Earl Perkins, Gartner VP
He concludes that it "wasn't enough to store identities and attributes, or to log authentication events– some method and tool was also needed to make sense of what was happening, to understand through correlation and analysis of data from a number of different sources the true picture end to end of those activities in identity and access management that occur every day to get work done."

To read the entire blog click here.
Learn how Veriphyr's Identity and Access Intelligence as a service delivers business insights on compliance, privacy, and security- with no hardware and no on-site software.
(a) IBM Buys Q1 Labs: Identity and Access Intelligence Comes Into Its Own - Gartner Blog, October 4, 2011

$20 Million Lawsuit Over Patient Data Privacy Breach

A $20 million class action lawsuit was filed in Los Angeles County Superior Court on September 28th on behalf of approximately 20,000 patients whose protected health information (PHI) was breached.

Shana Springer filed the complaint on behalf of herself and other patients treated at by San Francisco Bay Area hospital's emergency department between March 1, 2009, and Aug. 31, 2009
Suit alleges the hospital violated the Confidentiality of Medical Information Act, a California state law requiring healthcare providers safeguard patient data privacy..
The patient data that was breached included patient names, medical records numbers, diagnosis codes, billing charges, and dates of emergency room admissions and discharges. No credit card or Social Security numbers were part of the breach.

According to the hospital there is no evidence that the information was improperly used it for fraudulent or any other improper purpose. But in at least one case, a patient's psychiatric diagnosis was made public.
"SHC intends to vigorously defend the lawsuit that has been filed as it acted appropriately and did not violate the law as claimed in the lawsuit." - Hospital spokesman.
The suit seeks compensation of $1,000 per patient, plus penalties, damages and attorneys’ fees. Los Angeles-based lawyers Brian S. Kabateck, Richard L. Kellner, Karen Liao, Byron T. Ball and Bradley I. Kramer are said to be representing the person bringing the suit, as well as, the proposed class.
Download a white paper on patient privacy audits as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by nurses, doctors, and other authorized users - with no hardware and no on-site software.
(a) Statement from Stanford Hospital & Clinics - Stanford Hospital & Clinics Website, October 3, 2011
(b) Stanford Hospital & Clinics vows to fight $20M class action -, October 4, 2011

Thursday, September 15, 2011

90,000 Healthcare Providers Signed Up for Incentive Payments for Migrating to Electronic Medical Records Systems

90,000 hospitals and other healthcare providers are taking part in the Medicare and Medicaid electronic health records (EHR) incentive programs with 13,000 joining in August alone.
"When we launched in April, we had a trickle, and that trickle is turning into a faucet opening up a little more. If this trend holds, we’ll have the faucet fully going,." - Robert Anthony, CMS’ Office of e-Health Standards and Services.
CMS issued a total of $264 million in payments in August, twice as much as paid out in July, and $652 million for the year to date.
Download a white paper on EHR privacy auditing service. Proactively discover violations of patient privacy, even by nurses, doctors, and other authorized users - with no hardware and no on-site software.
(a) EHR incentive program ramps up to 90,000 providers - Government Health IT, September 15, 2011

Friday, September 9, 2011

Top HIPAA Privacy and Security Rule Violation Investigations

The U.S. Department of Health and Human Services Office for Civil Rights (HHS/OCR) has just released its "Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance".

A highlight of the report is the summary of complaints received by HHS/OCR of alleged violations of the HIPAA privacy and security rules.

Privacy Rule
The most frequently investigated Security Rule compliance issues are:
  • impermissible uses and disclosures of PHI
  • lack of safeguards of PHI
  • denial of individuals’ access to their PHI
  • uses or disclosures of more than the minimum necessary PHI
  • inability of individuals to file complaints with covered entities
Download a white paper on HIPAA Privacy Rule breach detection as a service. Learn about a service that proactively identifies impermissible uses and disclosures of PHI, even by authorized users - with no hardware and no on-site software.
Security Rule
The most frequently investigated Security Rule compliance issues are:
  • failure to demonstrate adequate policies and procedures or safeguards to address: response and reporting of security incidents
  • security awareness and training
  • access controls
  • information access management
  • workstation security
Covered Entities Required to Take Corrective Action
The most common types of covered entities that have been required to take corrective action, are:
  • private practices
  • general hospitals
  • outpatient facilities
  • health plans
  • pharmacies
NOTE: for most HIPAA covered entities, compliance with the Privacy Rule was required by April 14, 2003, and compliance with the Security Rule by April 20, 2005.

(a) Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010 - U.S. Department of Health and Human Services' Office for Civil Rights, September, 2011

Thursday, September 8, 2011

Nurse Violates Privacy of 5,800 Patients Over 6 Years

What is the right frequency for patient data privacy audits?

A nurse was fired for 5,800 violations of patient data privacy dating as far back as 2004. The nurse's snooping was discovered in 2011 by a privacy audit at the hospital where she worked in North Bay, Ontario.

The nurse looked at visit histories, prescribed drugs, lab results, and other information a nurse typically uses to perform her job. But the nurse was not part of the "circle of care" for these patients, and therefore had no legitimate reason to access the medical records.
"This person was looking at information out of curiosity." - Marc Bouchard, hospital CIO and Chief Privacy Officer
Once the massive privacy breach was discovered the nurse was interviewed. She is said to have admitted she had no legitimate reason to be looking at the records. Afterwards she was dismissed.

Further investigation lead the hospital to believe that the information inappropriately accessed by this employee was not released to other staff or beyond the hospital and that patient care was never negatively affected.
"It is the health centre’s goal to ensure that necessary health information is readily available to appropriate caregivers to ensure patient safety and quality of care, but that it is not disclosed beyond the circle of care‐givers.." - Pat Stephens, hospital spokesperson
As required by the Personal Health Information Protection Act, the hospital has contacted each affected patient to inform them of the breach of their personal health information as well as reporting the inciden to the Information and Privacy Commission of Ontario. In addition the hospital plans to implement more rigorous audits to detect attempts to inappropriately access health care information.

While that situatoin is, hopefully, an extreme example, it raises the question of how frequently patient data privacy audits should be performed. Not how often your current resources allow you to perform audits, but if you could magically receive an audit of suspicious access to patient data across all patients what would be your prefered frequency?

Your thoughts? Feel free to post your comments anonymously.
Download a white paper on patient privacy audits as an automated service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by nurses, doctors, and other authorized users - with no hardware and no on-site software.
(a) Breach of Privacy Occurs at North Bay Regional Health Centre Affecting 5,800 Patients - North Bay Regional Health Centre, September 6, 2011
(b) Nurse fired after breach of privacy at hospital, 5,800 patients affected - The Nugget, September 6, 2011

Wednesday, August 31, 2011

Over 70% of Healthcare Providers Suffered Privacy Breaches

Survey Reveals Leading Source is Employees Snooping into Medical Records
Veriphyr announces the results of new survey on Protected Health Information (PHI) privacy breaches. According to the findings, more than 70 percent of the organizations in the study have suffered one or more breaches of PHI within the last 12 months.

Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives.

The report, entitled “Veriphyr’s 2011 Survey of Patient Privacy Breaches,” summarizes the findings of a survey of compliance and privacy officers at mid to large sized hospitals and healthcare service providers. A complimentary copy is available here (registration required).

Respondents were queried on their perceptions of privacy and compliance initiatives within their organization, adequacy of tools to monitor unauthorized access to PHI, and the number and type of breaches sustained in the past year.
Given that data breaches of patient information cost healthcare organizations nearly $6 billion annually, we were not very surprised to discover that more than 70 percent of the organizations surveyed were victimized last year,” said Alan Norquist, CEO of Veriphyr.

However, we did not expect the prevalence of insider abuse reported, and that nearly 80 percent of the respondents feel they lack adequate controls to detect PHI breaches in a timely fashion.”
Some of the report’s key findings include:
  • Top breaches in the past 12 months by type:
    • Snooping into medical records of fellow employees (35%)
    • Snooping into records of friends and relatives (27%)
    • Loss /theft of physical records (25%)
    • Loss/theft of equipment holding PHI (20%)
  • When a breach occurred, it was detected in:
    • One to three days (30%)
    • One week (12%)
    • Two to four weeks (17%)
  • Once a breach was detected, it was resolved in:
    • One to three days (16%)
    • One week (18%)
    • Two to Four weeks (25%)
  • 79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI
  • 52% stated they did not have adequate tools for monitoring inappropriate access to PHI
Editorial Contact: Marc Gendron, Marc Gendron PR, #781-237-0341,
Learn about a medical records abuse detection service that proactively identifies patient data privacy abuse, even by authorized users - with no hardware and no on-site software.
Veriphyr is a trademark of Veriphyr, Inc. in the United States. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners.

Sunday, August 28, 2011

UK Police Caught Abusing Access to Criminal Records on Police National Computer (PNC)

The number of UK police caught abusing their access to the Police National Computer databases now exceeds 200, according to a Freedom of Information request cited by The Telegraph.

In just the last 3 years, 84 police officers and 22 support staff in the Metropolitan Police Service have been disciplined for misusing government databases that contain sensitive information on millions of people and their property.
"Half of the offences uncovered, including some accused of passing information to criminals, took place in the last three years - suggesting the abuse of the system is on the increase." - Jason Lewis, Investigations Editor for The Telegraph.
Over the past 10 years, 142 police officers and 66 staff in the Metropolitan Police have been disciplined, resulting in 29 firings and 16 prosecutions. When the entire UK is taken into account, a total of 400 police officers and staff had been disciplined for similar abuse across the entire UK.
"A survey of senior police officers found most believed abuse of police systems occurred 'frequently' and called for greater audit and controls on police computer resources." - Jason Lewis, Investigations Editor for The Telegraph.
Police National Computer Databases
  • Names File - People who have been convicted, cautioned or recently arrested
  • Vehicle File - Registered keeper of a motor vehicle
  • Property File - Certain types of stolen and found property including Trailers, Plant, Engines, Animals, Marine and Firearms
  • Drivers File - 48 million people who either hold a driving licence or are disqualified from holding one
Learn about a privacy breach detection service that proactively identifies unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
(a) Hundreds of police officers caught illegally accessing criminal records computer - The Telegraph, August 20, 2011
(b) Police National Computer - Wikipedia as of August 28, 2011

Share the Love with Children's Miracle Network

Veriphyr is proud to sponsor Children’s Miracle Network (CMN) Hospitals - a charity that raises funds for more than 170 children's hospitals.

Now you can help support this worthy charity by voting for it to become a Subaru "Share the Love" charity. This event raised $5 million for five charities last year. For every new vehicle sold or leased, Subaru donates $250 to the customer's charity of choice.

Here is how you can help CMN Hospitals become a Subaru charity: You can continue to vote each and every day from Thursday, August 25, 2011 until Thursday, September 15, 2011. Please spread the word. And thanks for sharing the love!

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at