4,000 Patients' Data Stolen from Hospital for Identity Theft

An Alabaster, Alabama woman was arrested for a violation of the Health Insurance Portability and Accountability Act (HIPAA) and indicted for stealing identifying information on more than 4,000 patients from a Birmingham hospital while an associate of hers was a patient there.

The stolen patient records include patient names, dates of birth and Social Security numbers over a span of years.

If convicted of violating the HIPAA statute, the accused faces a maximum sentence of
10 years in prison and a $250,000 fine.

As in other recent cases of insider theft, it was not the hospital that detected the theft of 4,000 patient records. It appears to have been the Alabaster Police Department, U.S. Postal Inspectors, and the U.S. Secret Service who tracked the trail back to the hospital.

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

In addition the accused was indicted for possessing stolen mail, attempting to commit bank fraud, misusing someone else’s Social Security number, and aggravated identity theft.

“The perpetrator crossed a barrier where the American public trusted a healthcare provider with personal information." - Martin D. Phanco, Postal Inspector, Atlanta Division

Trinity Medical Center, formerly Baptist Montclair Hospital, is notifying patients whose personal information was stolen.

A defendant is presumed innocent of the charges and it will be the government’s burden to prove a defendant’s guilt beyond a reasonable doubt at trial.

Sources:
(a) U.S. Postal Inspectors Arrest Woman On Charges Of Stealing Hospital Patient Information - US Attorney's Office, Northern Disctrict of Alabama, June 3, 2011
(b) Alabaster Woman Indicted For Stealing Hospital Patient Information - US Attorney's Office, Northern District of Alabama, June 28, 2011

Share

Medical Identity Thief Dies in Hospital and His Family Sues

When a person obtains healthcare under the medical identity of another person should he be allowed to sue for malpractice?

A person going by the name "James Daniels" dies after heart surgery at a Milwaukee Hospital. His family threatens to sue the hospital. But there is a twist in this tale - medical identity theft - the person who died was actually Manquis Daniels using his brother James' insurance to secure care.

"...the fraudulent use of someone's medical identity puts the individual who stole that identity at risk of being improperly treated." - Kathleen Schmitz, hospital spokeswoman

Jim Sting at the Milwaukee-Wisconsin Journal Sentinel could not get the family to answer phone calls, but he discovered these details from the report of the Milwaukee County medical examiner's office.

The deceased was reportedly a smoker with high blood pressure who recently learned he had severe coronary artery disease. A "ticking time bomb" is what doctors called him, according to the wife's statement.

After the deceased underwent surgery, while recovering in the ICU his blood pressure dropped due to bleeding in the coronary artery. The bleeding was stopped, but due to lack of oxygen he suffered brain damage and was pronounced dead three days later.

The family claims mistakes were made and the hospital claims its investigation found no evidence of improper care.

One interesting point was made by a reader in the comments section for this story in the Milwaukee-Wisconsin Journal Sentinel:

"The patient's identity theft may -- *may* -- possibly have contributed to his own death. By pretending to be his brother, he told the hospital to look at his brother's medical records, not his own. So ... anything that might have given the staff advance warnings of what would happen that day -- he withheld from them, and gave them his brother's."

What do you think? Please feel free to post your thoughts and comments.

For more information on this incident see:
(a) Potential St. Mary's lawsuit complicated by patient's identity theft - Jim Stingl, Milwaukee-Wisconsin Journal Sentinel, June 25, 2011
(b) Readers comments on the story "Potential St. Mary's lawsuit complicated by patient's identity theft" - Milwaukee-Wisconsin Journal Sentinel, June 25, 2011

Share

Texas Law Hikes Penalties for Violation of Health Care Privacy

$1.5 million penalty for repeat offenders

The governor of Texas signed a new law that increases privacy violation penalties to a maximum of $250,000 if the disclosure is for financial gain. There are also lower penalties of $25,000 per knowing or intentional violation, and $5,000 per negligent violation. (The previous maximum was $2,500 per violation.)

Moreover, the courts may assess a civil penalty up to $1.5 million if they find the "violations have occurred with a frequency as to constitute a pattern or practice".

"There's no data more sensitive than your healthcare data. We have lots of laws to protect financial data; I wanted to strengthen our laws protecting healthcare data."
- Lois Kolkhorst (Republican), bill sponsor in Texas House of Representatives

For entities licensed by the state, additional penalties can include probation, suspension, or revocation of a professional license.

By adopting HIPAA privacy standards, the new state law requires that protected health information (PHI) not be disclosed without the patient’s authorization, except for purposes of treatment, payment, health care operations, insurance purposes, and as otherwise authorized by state or federal law.

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

Sources:
(a) H.B.ANo.A300 - An act relating to the privacy of protected health information; providing administrative, civil, and criminal penalties. - Texas State Government, June 2011
(b) New Texas Health Care Privacy Law - Baker Hostetler legal practice data privacy blog, June 2011
(c) Texas Enacts Health Privacy LawLaw - Healthcare InfoSecurity, June 2011

Share

Jury Indicts Doctor for Disclosing Patient Health Information.

He Could Face 5 Years in Jail if Convicted. Your Thoughts?

A doctor in Suffolk, Virginia could face up to five years in prison if convicted of wrongfully disclosing protected health information (PHI) about a patient. Is it a justified reaction to the patient data privacy breach or does it go too far? Share your thoughts on this situation?

The Indictment
The former medical director of the Sentara Obici Hospital's psychiatric unit was indicted in U.S. District Court in Norfolk, Virginia on June 21. According to the indictment, the doctor treated a patient for two weeks in 2007. His discharge summary indicated that the patient was not considered a danger to others. Then in February 2008, he provided the patients personal health information to an "agent" of the patient's employer's without authorization on three different occasions.

According to the indictment, the doctor disclosed the information under false pretenses, saying she was of "serious and imminent threat to the safety of the public" even though, the indictment claims, the doctor knew the patient was not a threat to the safety of the public.

Previous Board of Medicine Investigation
The Virginia Board of Medicine had previously investigated the same incident and in May 2010 he was fined $5,000 and put on probation until he completed eight hours of medical education on professional ethics. When he had complied with the order in October 2010 his license was restored.

A call by The Virginian-Pilot newspaper to a phone listed as the doctor's office could only reach a voice mail saying his practice has been closed and he is no longer accepting patients.

An indictment is only an accusation, and defendant are presumed innocent until and unless proven guilty beyond a reasonable doubt. The doctors attorney said his client will be pleading not guilty to the charges.

Sources:
(a) Suffolk doctor faces federal privacy law charges - The Virginian-Pilot, June 23, 2011
(b) Doctor indicted for disclosing health information - Fox 43 TV.com, June 21, 2011

Share

"Abuse of System Access / Privileges" is #1 Means for Stealing Intellectual Property and Classified Information

According to the Verizon 2011 Data Breach Investigations Report (DBIR), "Abuse of System Access / Privileges" is the top threat action type used to steal intellectual property and classified information.

Verizon's Real World Example
An example from the Verizon report is a Nigerian fraud ring that gained key positions within some of America’s largest banks which allowed them to steal personally identifiable information, access and/or create bank accounts, and other nefarious activities.

"Another lesson ... is the importance of quickly deprovisioning user access and privileges when they are no longer needed. Year after year we investigate breaches involving former employees or business partners." - Verizon 2011 Data Breach Investigations Report

Top Threat Types Used To Steal Intellectual Property and Classified Information
(excludes those only involving payment card data, bank account information, personal information, etc)

Learn how Veriphyr’s Identity and Access Intelligence as a service discovers abuse of system access and privileges - with no hardware and no on-site software.

The Verizon 2011 Data Breach Investigations Report (DBIR) provides a view of “What it means for the general community." This chart is part of Verizon effort to release some of the most-requested segmentations of the DBIR's 761 incidents to answer the question “what it means for specific segments.”

Sources:
(a) New views into the 2011 DBIR - Verizon Security Blog, June 23, 2011
(a) Verizon 2011 Data Breach Investigations Report - Verizon Security, Apr 19, 2011

Share

Is She a Whistle-Blower or Violator of Patient Privacy?

A hospital fired a full-time medical assistant because the hospital says she breached patient privacy by "shoulder surfing". She says she is a whistle-blower punished for trying to expose a co-worker's violation of patient privacy. What do you think?

The medical assistant, who had been employed by the hospital since 1994, is accused of looking over the shoulder of a co-worker while he was examining a patient's medical record. The medical assistant claimed she only did this to see if the co-worker was examining a patient's medical record without authorization.

The medical assistant then reported the co-worker and provided information about the patient being accessed to her supervisor. In response, the hospital fired her because, according to the hospital, she violated the Health Insurance Portability and Accountability Act (HIPAA) not just once, when she looked at the patient records over her co-worker's shoulder but a second time when she gave her supervisor information about that patient.

"A hospital spokesman declined to comment on the case and declined to say whether [the medical assistant's] unidentified co-worker was fired." - The DesMoines Register

The medical assistant had reportedly been previously disciplined for patient data privacy breaches, as well as, attendance and work performance. After she was fired, she applied for unemployment benefits but the hospital fought her application. The judge ruled against the hospital saying it had not proven any work-related misconduct.

What do you think?
So what do you think? Is the medical assistant a whistle-blower or a violator of patient privacy? What additional information would you want to have to when making a judgement? Feel free to leave your thougths and comments?

For more insight on this case see these posts on previous breaches of patient data privacy at this hospital.

• Nurse Fired for Snooping on a Friend's Medical Records
• 3 Fired for Snooping on Electronic Health Records (EHR) of College Football Players.

Sources:
(a) 2 fired at University of Iowa Hospitals for peeking at records - The DesMoines Register, June 21, 2011
(b) UIHC fires 2 employees for patient-privacy violations - Press-Citizen, June 21, 2011

Share

Nurse Fired for Snooping on a Friend's Medical Records

The University of Iowa hospital fired a nurse who is accused of accessing patient medical records without authorization on multiple occasions.

The fired nurse told hospital management that the patient was a friend who wouldn't object to the nurse reviewing her medical records. But being a friend of the patient is not a legitimate justification under HIPAA.

The hospital has previously claimed to routinely review staff activity for breaches of patient privacy, but this breach was not discovered by such a review. Rather the discovery was due to an employee who stumbled onto the breach when he could not access a patient's records because the fired nurse was viewing it.

Learn about a proactive privacy breach detection service. Read a whitepaper about an automated solution that proactively discovers breaches of patient privacy - with no hardware and no on-site software.

Previous breaches of patient data privacy at this hospital.

• Medical Assistant Fired When Her "Shoulder Surfing" Breached Patient Data Privacy
• 3 Fired for Snooping on Electronic Health Records (EHR) of College Football Players.

Sources:
(a) 2 fired at University of Iowa Hospitals for peeking at records - The DesMoines Register, June 21, 2011
(b) UIHC fires 2 employees for patient-privacy violations - Press-Citizen, June 21, 2011

Share

Jail and Fine for Medical Identity Theft in Portsmouth, N.H.

Medical identity theft resulted in 4 years in jail and $33,374.29 in restitution to the Medicare and Medicaid programs.

Christopher Rabbia, also known as Christopher Mirabella, pleaded guilty to using another person's medical identification information to obtain health care services at various locations, including Portsmouth Regional Hospital.

Because Rabbia fraudulently used the identity of another person who is eligible for Medicare and Medicaid those programs paid for his care.

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

Investigators included Special Agents of the Department of Health and Human Services Office of Inspector General, the Federal Bureau of Investigation, with help from the Ogunquit, Maine, Police Department. The Federal prosecutor was Assistant U.S. Attorney John Farley.

Sources:
(a) Man who tried to use someone else's insurance at Portsmouth Regional Hospital to serve 4 years in prison - Foster Daily Democrat, Friday, June 24, 2011

Share

Negligence Lawsuits on Patient Data Privacy Breaches Rely on HIPAA to Establish Standard of Care

Recent court decisions held that HIPAA may form a basis of a state law “negligence per se” claim, even though HIPAA does not create a private right of action, under federal law.

The court refused to dismiss plaintiff’s claim for negligence per se, despite its reliance on HIPAA in the case of I.S. v. Washington University, E.D. Mo.

"The risks of such private causes of action are only expected to increase ... healthcare providers must ensure strict compliance in order to avoid not only regulatory enforcement but also individual lawsuits." - McGuireWoods legal practice blog

The Washington University case is not the first such case. The North Carolina Court of Appeals allowed a plaintiff to make an intentional infliction of emotional distress claim against a psychiatrist by relying on HIPAA. In that case, a psychiatrist's office manager accessed the patient's medical records to cause harm to the patient.

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

Sources:
(a) HIPAA May Provide Basis for State Law Private Cause of Action - McGuireWoods legal practice blog, June 23, 2011

Share

ONC's Mostashari on Electronic vs. Paper Health Records

Are electronic health records (EHRs) systems better than paper records? Are they more accessible in times of crisis as well as more secure and confidential?

A posting by Farzad Mostashari, the National Coordinator for Health IT, pointed to the recent tornado in Joplin, Missouri to highlight the benefits of EHRs over paper records.

"The Joplin tornado proved once again the resilience and security afforded by hospitals and providers transitioning from paper to electronic health records (EHRs)." - Farzad Mostashari, National Coordinator for Health IT and Rear Admiral Nicole Lurie, MD, MSPH, Assistant Secretary for Preparedness and Response

St. John’s Regional Medical Center lost paper records and x-rays. Some records were found as far as 75 miles away in Springfield. Fortunately, just three weeks before the tornado, St. John’s had finished its migration to an EHR system of its parent company, Mercy Health System of St. Louis. Within six days the hospital staff was delivering care from a temporary facility with full access to their electronic patient records.

"Having an EHR allowed us to be able to know exactly who all the patients were in our hospital so we were able to locate each and everyone fairly quickly after the EF5 tornado hit. If we only had paper [records], it would have been very difficult to manage our patients." - Dottie Bringle, R.N., Chief Operating Officer and Chief Nursing Officer at St. John’s Mercy Hospital

Of course, by expanding and simplifying access to medical records EHRs also expand the potential for healthcare workers with legitimate access to medical records to misuse that access as has been demonstrated by numerous examples in this blog. But new medical records privacy breach detection services are available to mitigate the new risk of going electronic.

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

Sources:
(a) Electronic Health Records Prove to be Invaluable After Crisis www.healthit.gov, June 22, 2011

Share

Tracking Changes to Electronic Health Records

California State Senator Mark Leno

Proposed legislation in California would require health care providers to track changes and deletions of electronic health records.

SB 850 would require providers to automatically record any change or deletion of electronically stored medical information and identify who made the change. Furthermore, the bill would make it possible for patients to see the changes if they requested their medical records. By contrast, pending federal requirements would allow patients to request a list of people who had accessed medical records, but there is no requirement to disclose transactions that alter a medical record.

“Changes to an EHR (electronic health record) can go unnoticed and can be harder to trace than changes made to paper records,” said Sen. Mark Leno, D-San Francisco, the author of SB 850.

An attorney for the family of a woman whose medical records were altered after a 2009 fatality noted that medical records are extremely easy to manipulate when they're in electronic form and the difficulty for patients to pursue discovery if records of changes are not kept.

Some in the health care industry contend that requiring every adjustment to be noted in the medical record itself would impose a heavy and costly administrative burden on already stretched health care resources. They also contend that current systems lack support for such functionality, requiring a round of expensive upgrades or re-architecture of existing systems.

However, it's not clear whether the lack of functionality refers to the lack of necessary reporting capability or from the lack of transaction recording ability related to additions, deletions, and modification of patient records. While reporting capability may be lacking, the ability of EHR applications to create shadow patient records reflecting changes and edits is known to exist in several current or upcoming versions. Instead, the problem may be an inability of existing vendor tools to easily access and present patient data outside of standard reporting scenarios without extensive modification of the application.

Is there a way to balance patient rights versus the administrative burdens for health care organizations? Instead of expensive EHR system upgrades, the answer may lie in providing an alternative to integrated EHR vendor reporting tools. These tools limit the ways in which medical record transactions can be reported and the ways staff can view changes to patient records. At best, they require involvement of the IT department to manipulate tabular data and to write custom reports, diverting IT staff from other operational work. However new intelligence applications, designed to manipulate and analyze unstructured data, can import raw data from the conventional relational models of EHR systems and analyze patient record transactions in ways not possible until now. These new analytical intelligence solutions provide health care compliance and privacy personnel the ability to easily adapt to new reporting requirements imposed by changing regulatory requirements. SaaS-based intelligence applications remove the need for diverting IT personnel to installation, configuration, and custom development of site-deployed software.

Veriphyr Identity and Access Intelligence for HIPAA provides effective verification that user activity corresponds with approved policies and authorized behavior, including modifications of patient records. Veriphyr analyzes identities, privileges, and user activity to detect violation of access control down to the record level to deter snooping into sensitive data or alteration of records.

If you liked this story,  follow us on Twitter by clicking on the Twitter icon below.
Sources:
(a) Bill would require 'track changes' on electronic medical records - California Watch - June 13, 2011
(b) EHR Security Measure Might Have Hidden Consequences - California Healthline - May 12, 2011

Share

Prison for Insider Theft of Patient Data at Hospital

The ringleader of a fraud affecting more than 250 patients was sentenced to more than 14 years in prison and ordered to pay $631,000 in restitution.

One member of the gang was an emergency room employee at Holy Cross Hospital in Ft. Lauderdale who stole patients’ personal information from emergency room records. Another member worked for a doctor in Aventura and stole patient information from her employer.

The court held [the ringleader] responsible for a $419,000 loss incurred by Holy Cross Hospital due to the identity theft and a $212,000 loss incurred by J.P. Morgan Chase Bank.

The gang used the stolen patient information to gain on-line access to existing accounts and telephone banking services at J.P. Morgan Chase Bank and to make cash withdrawals and purchase money orders through ATM machines.

The hospital only became aware of the patient data privacy breach when the U.S. Attorney's Office and U.S. Postal Inspection Service contacted the hospital about a hospital employee who was the source of identity data.

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

As for the other gang members - one was sentenced to 11 years in prison and ordered to pay $300,000 in restitution; a second was sentenced to two years in prison, a third was sentenced to 40 months in prison, and the forth will be sentenced on Aug. 15.

For more on this case see:
Ex-Hospital Employee Jailed for Patient Identity Theft
HIPAA Violation Indictments for 2 Medical Office Assistants

Sources:
(a) Holy Cross Hospital Identity Theft Ring Members Plead Guilty and are Sentenced - The United States Attorney's Office, Southern District of Florida, June 20, 2011

Share

Insider Suspected in Theft of Customer Information at Mortgage Company

The Lending Company announced its secure database was breached, putting at risk thousands of its customers' personal data, including names, contact information, and social security numbers.

While originally thought to be the work of outside hackers, investigators now believe the breach was an inside job.

Learn how Veriphyr's Identity and Access Intelligence service detects breaches of data privacy by insiders - with no hardware and no on-site software.

Sources:
(a) Lending company security breach may be inside job - CBS 5 News, June 2011

Share

Medical Assistant Fired for "Shoulder Surfing" and Breaching Patient Data Privacy

A hospital at the University of Iowa fired a full-time medical assistant for breaching patient privacy by "shoulder surfing".

The medical assistant, who had been employed by the hospital since 1994, is accused of looking over the shoulder of a co-worker while he was examining a patient's medical record. The medical assistant claimed she only did this to see if the co-worker was examining a patient's medical record without authorization.

The medical assistant then reported the co-worker and provided information about the patient being accessed to her supervisor. In response, the hospital fired her because she violated the Health Insurance Portability and Accountability Act (HIPAA) not just once, when she looked at the patient records over her co-worker's shoulder but a second time when she gave her supervisor information about that patient.

"A hospital spokesman declined to comment on the case and declined to say whether Sterner's unidentified co-worker was fired." - The DesMoines Register

The medical assistant had reportedly been previously disciplined for patient data privacy breaches, as well as, attendance and work performance. After she was fired, she applied for unemployment benefits but the hospital fought her application. The judge ruled against the hospital saying it had not proven any work-related misconduct.

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

Previous breaches of patient data privacy at this hospital.

• Nurse Fired for Snooping on a Friend's Medical Records
• 3 Fired for Snooping on Electronic Health Records (EHR) of College Football Players.

Sources:
(a) 2 fired at University of Iowa Hospitals for peeking at records - The DesMoines Register, June 21, 2011
(b) UIHC fires 2 employees for patient-privacy violations - Press-Citizen, June 21, 2011

Share

Nurse Accused of Identity Theft at 5 Hospitals in Colorado

Potentially 273 patients were victims of identity theft by a single nurse who accessed their electronic medical records at five hospitals in the Denver, Colorado area.

Some hospitals only learned of the patient data privacy breaches when police brought it to their attention in May of 2011- over 5 months after the nurse finished his 8 months employment stint - between May, 2010 and January, 2011.

"the hospital was notified by the Westminster Police that [the nurse] was suspected of stealing patient demographic information from other hospitals and allegedly using it to engage in identity theft. That police investigation determined that a computer at [the hospital] had been used in one of the illegal activities." - Boulder Community Hospital

The nurse, Cannon Tubb, is accused of illegally accessing patient medical records, and in some cases using Social Security numbers and other electronic protect health information (ePHI) to open credit cards in patients' names. Tubb is awaiting extradition from Texas to face a 90-count felony indictment in Adams County, Colorado.

Download a white paper on medical privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

All 5 hospitals are cooperating with the law enforcement and offering patients identity theft monitoring and recovery services for free.

"An audit of the hospital's electronic medical record indicates [the nurse] violated hospital policy and accessed demographic information unrelated to treatment ... We do not know what specific information may have been taken for any particular patient." - Boulder Community Hospital

As of June 18, the number of patients notified of the breach is 76 at Platte Valley Medical Center in Brighton; 123 at Centura Health facilities: St. Anthony Central, St. Anthony North and Porter Adventist; and 74 patients at Boulder Community Hospital.

Sources:
(a) Boulder Community Hospital involved in nurse ID theft case - KUSA-TV, June 17, 2011
(b) Platte Valley Medical Center (PVMC) Press Release - Platte Valley Medical Center (PVMC), June 2011

Share

Is Snooping by IT Causing HIPAA Violations for You?

Disturbing information from a 2010 survey -- the professionals entrusted with data security are likely to be violating it. Of about 245 IT professionals surveyed regarding unauthorized access to confidential data:

• 67% of respondents admitted having accessed information that was not relevant to their role.
• 41% admitted abusing administrative passwords to snoop on sensitive or confidential information.
• 74% of respondents in the United States believed they can get around any controls that have been put in place to monitor privileged access.

Enterprises are spending millions of dollars on advanced firewalls, intrusion detection systems, and data loss prevention systems to protect against external threats. However, securing the organization's perimeter and accepting trust of internal activity by default is not enough. A rogue insider can undermine hundreds of thousands of dollars in security investment. In a time of highly visible, expensive data breaches and other HIPAA violations, the trust given to insiders should be validated. There is a need for verification, not just trust, that user access is necessary and appropriate to the user's job function and responsibilities.
Bob Glithero, VP Business Intelligence, Veriphyr
To prevent evasion of internal monitoring systems, companies need to supplement their internal systems with a system of detection and verification that resides outside the walls of the enterprise. Such a system is outside the ability of employees to subvert, even ones with privileged access.

Veriphyr Identity and Access Intelligence for HIPAA provides effective verification that user activity corresponds with approved policies and authorized behavior. Veriphyr analyzes identities, privileges, and user activity to detect violation of access control down to the record level to deter snooping into sensitive data.

If you liked this story, follow us on Twitter by clicking the Twitter icon below.
Sources:
(a) Are your IT folks snooping your protected data? - Network World, July 7 2010

Share

Patient Privacy Concerns are #1 Barrier to Doctor Adoption of Mobile Devices

Patient privacy is the top barrier impeding doctors from embracing of mobile devices for doctor to doctor activity and doctor to patient activities. Surprisingly this is from a survey of doctors who already use both smartphones and tablet computers - so called "Super Mobile" doctors.

Interestingly, the #1 item on the doctors' wish-list for their mobile devices is access to Electronic Medical Records (EMR) systems. Clearly ensuring patient data privacy is a critical prerequisite for expanding EMR access to mobile devices.

Download a white paper on patient privacy breach detection as a service. Learn how to protect patient privacy accessed by mobile devices - with no hardware and no on-site software.

Top concerns limiting doctor to doctor activities with a mobile device Top concerns limiting doctor to patient activities with a mobile device

Background on Survey
Over 80% of doctors responding to the survey have a smartphone or tablet capable of downloading applications. Moreover, 44% of the doctors who do not have a mobile device plan to purchase one in 2011. 19% of all doctors use a tablet in clinical settings and another 35% are extremely likely to do so in the next few years.

This survey was done by QuantiaMD, a mobile and online community serving over 125,000 physicians with opportunities to learn from, and exchange insights with, their peers and experts in their fields. For more see www.quantiamd.com.

Sources:
(a) Tablets Set to Change Medical Practice - QuantiaMD Survey, June 15, 2011

Share

Insiders Who Stole Customer Data Fined $120,000 by Court

A court in United Kingdom imposed £73,700 (approximately $120,000) in fines and confiscation costs on two insiders who stole and sold customer data from T-Mobile, the UK mobile phone company at which they worked.

"Those who have regular access to thousands of customer details may think that attempts to use it for personal gain will go undetected. But this case shows that there is always an audit trail."
Christopher Graham, Information Commissioner

The investigation was launched when a mobile phone operator became suspicious that customer names, addresses, telephone numbers and contract renewal data were being disclosed by insiders. The investigation culminated in two men pleading guilty to a number of offenses, including obtaining personal data without the data controller’s consent and selling that data to a third party.

Learn how Veriphyr's Identity and Access Intelligence service detects breaches of data privacy by insiders - with no hardware and no on-site software.

Sentencing and the final confiscation hearing took place on June 10, 2011. If the court's confiscation orders are not paid within six months, the two men will serve prison sentences of 15 months and 18 months respectively.

"Today’s hearing marks the final chapter in an investigation that has exposed the criminals behind a mass illegal trade in lucrative mobile phone contract information. It also marks a new chapter of effective deterrents on data crime where the courts will act to recover the ill-gotten gains." - Christopher Graham, Information Commissioner

The fines and confiscation costs are a result of the "Proceeds of Crime Act", UK legislation which provides for the recovery of the proceeds from crime. This case is the first time the authorities have requested and been granted use of confiscation orders.

Sources:
(a) Customer data thieves made to pay £73,700 - UK Information Commissioner’s Office, June 10, 2011
(b) Detailed Case Summary of Insider Theft at T-Mobile by David Turley and Darren Hames - UK Information Commissioner’s Office, June 10, 2011

Share

Helping Local Hospitals Care for Children in Need

Veriphyr is proud to sponsor Children’s Miracle Network Hospitals - a charity that raises funds for more than 170 children's hospitals.

Donations to Children’s Miracle Network Hospitals are used to provide charitable care, purchase life-saving equipment, and fund research and education programs that save and improve the lives of 17 million children each year.

Children’s Miracle Network Hospitals (CMN) has just launched a new website called "100 Million Miracles" where all of CMN sponsors can lend their support to one sponsor's fund raising campaign.

In June Delta Airlines has donation incentives related to their airline mileage program. All of us at Veriphyr are proud to share with you this opportunity to help children in need.

NOTE: Donation or purchase is not necessary to enter or win. ( Click here for Official Rules.)

Share

Insider Abuse at Bank of America Costs $10 Million

According to the L.A. Times, an insider at Bank of America leaked information on 300 customer accounts to accomplices, leading to unauthorized withdrawls of more than $10 million. It's unclear how effective existing fraud detection tools were in uncovering the theft, as more than a year passed between the detection of the problem and the time customers were notified. Some customers only detected a problem after examining account activity or receiving notices from UPS that delivery of new checks had been attempted.
Bob Glithero, VP Business Intelligence, Veriphyr
In this case, a BofA employee with access to customer information is alleged to have leaked personally identifiable information such as names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, e-mail addresses, family names, PINs and account balances.

Jim Kollar, assistant special agent in charge of the Secret Service's Los Angeles office, said Secret Service and FBI agents arrested 95 suspects in the case in February. He said it's possible the suspects have gang ties.

It was a ring of people, based in Southern California, with an inside person at the bank pushing out the information," Kollar said. "They had a lot of people on the outside receiving that information."

Even with appropriate identity management controls, such as background checks and provisioning employees only with the minimum access necessary for their job function, companies will still face exposure from insiders who have appropriate rights for their jobs - and then abuse those rights. Verification that user activity is in line with authorized privileges and expected behavior is one effective defense against insider abuse: when you have a teller who is accessing many times more accounts than his peers over a given period, a follow-up investigation may be warranted.

However, there is also a need to provide verification and reporting of access and activity exceptions in a way that business managers and executives can quickly understand and that does not tax an already overworked IT staff. The verification process should be made more effective and more efficient by making better use of data the organization already has, without adding more hardware or software and by replacing manual activity whenever possible.

Veriphyr Identity and Access Intelligence provides effective verification that user activity corresponds with approved policies and authorized behavior. Veriphyr analyzes identities, privileges, and user activity to detect violation of access control down to the record level to deter snooping into sensitive data. There’s no hardware or software to install and no integration needed with your existing systems.

Sources:
(a) Bank of America data leak destroys trust - Los Angeles Times, May 24, 2011

Share