Saturday, December 31, 2011

Court Rules for Patient in Medical Privacy Suit

A woman who was awarded $100,000 in compensation for a violation of her medical privacy will get a chance to seek more money, the 8th Circuit ruled.

Jane Doe sued three doctors over a newspaper article about the doctors which contained information that violated her medical privacy

Her suit resulted in an award of $100,000 but her follow up suit claimed that the court erred in excluding testimony that would have resulted on a larger judgement.

In a split decision this week, a three-judge panel of the 8th Circuit agreed with Doe.

For more see the Courthouse News Service

Friday, December 30, 2011

Insurance Privacy Breach Leads to Arson, Shootings

A former employee of Vancouver-based Insurance Corporation of British Columbia (ICBC) is being investigated in connection with shooting and arson incidents in the Vancouver area. According to the RCMP, the former employee is a woman who had worked for ICBC for 15 years. She is alleged to have accessed the information of people associated with the Justice Institute of British Columbia, whose homes were targeted for attack. A link between the employee and organized crime elements is under review.

Police made the connection to the Justice Institute in September 2011 and announced that 10 people had been victimized. That number has since grown to 13 and police are trying to determine if there have been other incidents.

It is believed that the woman accessed the personal information of 65 individuals. Further reports from CBC indicated the woman was fired in August 2011 for unspecified reasons. Because she was fired before the investigation linked her to the attacks, it’s not clear whether unauthorized access played a role in her departure. If her access were not properly terminated, she could have continued to disseminate personal information after her firing.

ICBC has taken unspecified measures to prevent similar privacy breaches in the future.
Regular audit of access to confidential data — even by employees with approved access — is a necessary component of effective defense against privacy breaches. Download a white paper on privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of privacy and security, even by authorized users — with no hardware and no on-site software.

Follow Veriphyr on Twitter (@Veriphyr) for more privacy breach news!

Saturday, December 24, 2011

Government Workers Fired for Data Privacy Violation

Five government employees were fired for inappropriately accessing sensitive government computer applications and selling personal details to debt collection agencies. Two more are under investigation as part of a national review which could result in prosecutions.

The five employees admitted breaching the government's strict privacy code. As a condition of employment they had signed the Code of Conduct and a declaration acknowledging their responsibility to protect privacy.
"There is never any excuse for accessing a client's file without a legitimate work-related reason." - Janet Grossman, Work and Income
The Privacy Commisionaer has been informed and each client whose privacy has been breached is being contacted individually.

The government said it has a zero tolerance for staff who breach the privacy of clients. To insure this the government's Integrity Unit regularly conducts time consuming reviews the logs of user access and activity to identify violations.
Are you auditing violations of privacy by your employees? Download a white paper on privacy breach audits. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
(a) WINZ staff under fire -, December 24, 2011

Friday, December 23, 2011

The Costs of a Privacy Breach: Are You Ready?

In “First-Hand Experience with a Patient Data Security Breach,” the CEO of an implementation services company discusses the impact of a data breach on his company and the patient practices it serves, and the resultant costs. While the loss stemmed from the loss of a laptop rather than from insider actions, an analysis of the response process and the expenses incurred provides rare insight into an effective breach response program “under fire,” as well as how costly breaches of PHI can be. For a data breach involving the compromise of over 14,000 records (which ultimately resulted in the PHI of 1,000 patients placed at risk), the total cost of breach investigation and response was a staggering $288,000. After legal fees, the single largest component of the cost was staff time, estimated at $125,000. The diversion of staff time because of the manual processes needed to determine the extent of damage added significantly to the total.

It seems that many health care providers would find themselves financially exposed in the event of a serious data breach. cites a survey indicating most healthcare organizations are not ready for a privacy and security audit:
"HCPro's survey results show that only 17% of responding organizations said they are fully prepared for an OCR privacy and security compliance audit. "It is very hard to get your staff to understand how important this is," one compliance officer said. "
Through our own research and conversations with health care executives, we have found that a key best practices for curbing intentional privacy breaches involves:
  • effective training in privacy standards
  • explicitly communicating the sanctions for misbehavior
  • ensuring staff know that the means of audit and detection are reliable
Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
(a) First-Hand Experience with a Patient Data Security Breach -, December 3, 2011
(b) Most Providers Unprepared for HIPAA Audit - HealthLeaders Media

Friday, December 16, 2011

Risk Indicators of Insider Threats

Dr. Eric Shaw, and Dr. Harley Stock of the Incident Management Group, have published “Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall,” a report on the warning signs and behaviors indicating the likelihood of insider attacks on enterprise IP.

While espionage by foreign governments and attacks by hackers grab the headlines, the vast majority of data breaches and IP theft are perpetrated by insiders. Unfortunately, most IT security budgets are allocated disproportionately to the more sensational (but less likely) attack vectors. This may be explained by the fact that technical controls over insider abuse of access are difficult to enforce – it may not be easy to tell the difference between legitimate and illegitimate access to sensitive data, and detection usually requires tedious manual review of activity logs and comparison with approved rights.

In the vast majority of cases, an enterprise has already captured the evidence of the attack in activity logs but lacks the tools or expertise to reveal what has happened. As a result,
"…insiders use technical means to steal IP, but most theft is discovered by non-technical employees. The majority of subjects (54 percent) used a network—email, a remote network access channel or network file transfer to remove their stolen data. However, most insider IP theft was discovered by non-technical versus technical employees… Sometimes the company involved was unaware of the theft until law enforcement notified them after discovering it during a related investigation."
Even worse, some thieves recruit their co-workers to participate in their schemes. If identifying a single perpetrator is challenging, uncovering “fraud chains” involving multiple insiders is extraordinarily difficult with traditional log review methods. Applying advanced data analytics to reveal behavioral patterns of multiple insiders offers the best defense against complex inside attacks.

Insider attacks are often presaged by other violations of policy. As the report states, "Employees with a history of previous rule violations elsewhere are at even greater risk for future violations."

Verizon, in their 2010 Data Breach Investigations Report, made the same observation. Minor breaches of security often come before a major insider attack. We would recommend a review of unusual patterns of access indicating reconnaissance on critical systems, applications, networks, or sensitive records.

At Veriphyr, we have written at length about insider attacks in this blog. For more information in a health care context, we have published "From Insider Abuse to Insider Accountability,” which describes the problem of insider abuse and how data analytics can be applied to reveal abusive patterns of access that manual auditing misses, while relieving compliance, privacy, and IT staff of the need for installing and maintaining new hardware or software.

More about Veriphyr:

More on insider attacks: get our RSS feed, and follow us on Twitter (@Veriphyr)!

Sunday, December 11, 2011

Medical Records are Worth $50 Each on the Black Market

A single patient's medical record is worth $50 on the black market, according to a panel of cyber security specialists at the Digital Health Conference held on December 1st in New York city.

One reason for the high value is that a person cannot cancel their own medical history, where as they can always cancel a stolen credit card number. This makes it much harder to prevent stolen medical data from being used by criminals.

Medical record data is worth $50 on the black market. Much more than Social Security numbers ($3), credit card information ($1.50), date of birth ($3), or mother's maiden name ($6).

Stolen medical data -- such as electronic health records or insurance information -- is lucrative because thieves use it to submit false or inflated medical claims, buy prescription medication, or pay for treatment - all at the victim's expense.

The panel of experts pointed out that impermissible use ofr patient privacy at healthcare and insurance companies are an increasing source of stolen medical data - this includes data lost or stolen by insiders such as healthcare or insurance workers.

The panelists explained how impermissible use of medical data is detectable by analyzing activity in electronic health record applications and other clinical and financial computer systems.

Learn how Veriphyr uses Structural Analytics to detect "impermissible use" of patient data in clinical and business applications by employees, contractors, and third parties.

(b) Digital Health Conference - Digital Health Conference, December 1-2, 2011
(a) DHC: EHR Data Target for Identity Thieves - MedPage Today - 12/07/2011

Friday, December 9, 2011

VA Hospital Employee Charged with Identity Theft

An employee at a VA medical center in Miami is alleged to have sold personal information of disabled veterans using her privileged access to hospital systems. The information was later used to open unauthorized credit card accounts at Citibank.

The employee faces charges connected with the theft and sale of the personal information of at least 22 military veterans. Kendrick is alleged to have used her position in the medical center’s travel benefits department to obtain names, addresses, dates of birth, and Social Security numbers, which she in turn transferred to an accomplice who opened the credit card accounts.

The fraud was discovered after the VA Office of Inspector General received complaints regarding the fraudulent accounts.

Most attention in the press on the security of patient information centers on electronic health records. However, patient billing information is also vulnerable, and the systems that hold billing information typically do not have any built-in audit capabilities. An effective defense of patient privacy focuses on tracking access to all systems and applications holding personally identifiable information to ensure that sensitive information is accessed only by authorized personnel and only in accordance with their job function. Problem access needs to be identified and remediated quickly. The challenge for health care providers is to do this with limited personnel and budgets, and without introducing new software or hardware into the IT environment.
Download a white paper on data breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.

Subscribe to our RSS feed and follow us on Twitter (@Veriphyr)!

Saturday, December 3, 2011

#1 Secuity Priority in Healthcare

"It's becoming increasingly clear that the age of strictly voluntary compliance with respect to HIPAA has come to an end, and the threat of expensive settlements and corrective action plans with federal and state regulators is becoming an increasing reality," - Adam Greene, former official at HHS/OCR (Department of Health and Human Services' Office for Civil Rights)

"There are various ways to do auditing, but it's important to do smart auditing rather than just a completely random sample. There are certainly tools available to do algorithms that may hone in on potential problem areas." - Adam Greene

"small breaches also are sometimes the much harder ones to catch. When you've got a large breach that's readily apparent much of the time, whereas often times it requires proactive monitoring to find all the small breaches that are going on in the organization, and that's where I think organizations aren't really putting their resources. They're simply unaware of the volume of small breaches that may be happening."- Adam Greene

Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at