Friday, June 29, 2012

Government Worker Pleads Guilty to $2 Million Identity Theft

A receptionist for the Minnesota Board of Psychology pled guilty to conspiracy to commit bank fraud and aggravated identity theft that resulted in $2 million in fraudulent purchases and bank withdrawals.

She misused her access to psychologists' personal information to steal Social Security numbers and bank account data between August and November of 2010.
The personal information was used it to commit identity theft at financial institutions and retail businesses in no fewer than 14 states. - Minnesota U.S. Attorney’s Office Press Release
She was reprimanded in 2010 for inappropriate use of electronic technology, but it was not until March 2011 that she was the subject of a two-month "employee misconduct investigation".

Her plea deal involves up to six years in prison for conspiracy to commit bank fraud and aggravated identity theft. She also agreed to make restitution of $358,780 to the victims.
Download a white paper on privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) St. Paul woman pleads guilty to role in large, multi-state identity theft ring - Minnesota U.S. Attorney’s Office Press Release, June 21, 2012

Thursday, June 28, 2012

Healthcare Telecom/IT to Grow 9.7% - Faster than Overall Spending in Healthcare or Any Other Industry

Overall healthcare spending is predicted to grow 6.4% per year between now and 2017. This is faster than any other industry in the U.S, according to a recent report by The Insight Research Corporation (IRC).

IRC predicts that healthcare spending on telecommunications and IT will grow EVEN FASTER at a compound annual growth rate of 9.7% over the next five years, .

The number of healthcare locations is increasing by 2.4% annually, while healthcare employment is increasing 2.5 times the total employment rate.
"Electronic monitoring will enable an exception management model, whereby systems and networks record continuous patient information." - Insight Research Corporation
The dramatic increase in patient monitoring will continue the growing need for HIPAA breach detection to protect the increasing quantity of patient data.

Rising healthcare industry costs and a shortage of skilled staff means hospitals and other front-line healthcare providers will oursource HIPAA breach detection and embrace new technologies that dramatically reduce costs of protecting HIPAA data privacy.
Download a white paper on HIPAA breach detection service. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Telecom, IT and Healthcare: Wireless Networks, Digital Healthcare and the Transformation of US Healthcare, 2012-2017 executive summary2017 - The Insight Research Corporation, May 2012

Wednesday, June 27, 2012

Trust is THE Challenge for Health Information Exchanges

Patient privacy was a hot topic at a discussion on Health Information Exchanges (HIE) at the recent HIMSS 2012 Virtual Conference.
"What is a major challenge, of course, is the trust model – how do we understand to whom we're sending, and to whom we're requesting?." - Chris Chute, MD, a principal investigator for the Southeastern Minnesota (SE MN) Beacon Community
Imagine the scenario of a healthcare worker who requests records via a health information exchange (HIE) for the medical records of a celebrity or politician or his estranged sister-in-law from their care providers. Who's to know whether he is making a legitimate request or that he is snooping with bad intent? Who's to know which requests are legitimate and validated?

And in an emergency "time is tissue" as an ER doctor once told me. Should an HIE put up barriers that delay life saving information? Would this require a "break glass" option? Clearly, there will always be questionable record request and HIPAA data privacy breach detection will be needed to analyze requests and proactively identify suspicous requests.
Download a white paper on HIPAA privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Q&A: Beacon leaders discuss IT's role in care revolution - Healthcare IT News, June 22, 2012

Tuesday, June 26, 2012

$1.7 Million Settlement for HIPAA Security-Rule Violation

First HHS/OCR HIPAA enforcement action against a state agency.

The Alaska Department of Health and Social Services (the state Medicaid agency), has agreed to pay $1,700,000 to settle possible violations of the HIPAA Security Rule.

In addition, Alaska DHSS will take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.
"Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices." - OCR Director Leon Rodriguez
The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the HITECH Act. The investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Alaska Medicaid settles HIPAA security case for $1,700,000 - HHS.gov, June 26, 2012
(b) HHS/OCR Resolution Agreement - HHS.gov, June 26, 2012

Years of Psychiatric Counseling Sessions are Now Available Online to Any Hospital Employee

At the recent conference by Patient Privacy Rights a speaker spoke from personal experience about the risk of electronic medical records.

A woman told how her session with a psychiatrist (200 pages of discussions about depression, debt, and childhood sexual abuse) became available to any healthcare worker who wanted to read them across a sprawling chain of medical facilities.
"It’s one thing to give your psychiatrist the right to share your information [with certain doctors], it’s another to enter your data into a system that makes it available with relative ease to an unknown number of physicians who may be involved in your care. ." - Dr. David Blumenthal, Partners’s chief health information and innovation officer and former national coordinator for health information technology for the Obama administration
This is the challenge as providers in separate healthcare networks begin to share patient records online. While the goal is to better coordinate care and cut costs, there are significant risks of unauthorized access to patient information.

Healthcare organizations are concerned about putting restrictions on who can view a patient's records. Should an individual have a medical emergency that person's medical recordss must be instantly available to those providing life saving care.

But without an effective HIPAA privacy breach detection capability, there is the risk of people snooping on sensitive personal information without any clinical reason.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) As records go online, clash over mental care privacy - The Boston Globe, June 21, 2012

Monday, June 25, 2012

WSJ - Electronic Medical Records Enable Medical Identity Theft

Over the weekend the Wall Street Journal highlighted the downside of electronic medical records.

"But for all the hype about electronic records, little attention has been paid to what some say is a serious weak spot: When those sensitive bits and bytes fall into the wrong hands, it's often patients who feel the pain."

"A medical identity thief, for example, might use a stolen insurance card to submit false claims in order to get cash back -- which can cause the real insurance holder to be saddled with a higher insurance premium, or even left on the hook for fraudulent medical bills."
"Unlike the case with credit cards, there are no industry measures to limit consumer liability in medical-record fraud." - Harry Rhodes, director of practice leadership for the American Health Information Management Association,
"Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology in Washington, D.C., advises consumers to guard their health insurance cards the way they would their credit cards and to carefully review their statements of insurance benefits."
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) A Risky Rx for Your Digital Records - Wall Street Journal, June 23, 2012

Sunday, June 24, 2012

Doctor Fined For Downloading Patients’ Personal Information

A doctor was fined $20,000 by the Connecticut Medical Examining Board for the unauthorized download of information belonging to 339 patients.

In addition, his license was put on probation for six months while he completes training classes in physician ethics, patient confidentiality and compliance with HIPPA.
"Unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce." - Attorney General Richard Blumenthal
The doctor worked for a company that provides radiology services to the hospital. He was terminated on February 3rd and his access to hospital systems was terminated at that time.

However for one entire month (from February 4th to March 5th) the doctor illegally accessed the radiology application from his home using passwords stolen from other radiologists. He downloaded a total of 339 patients’ names, exam dates, exam descriptions, gender, age, medical record numbers, image files, and dates of birth.

The hospital only became aware of the privacy breach when patients complained the radiologist was calling them to offer medical services at another hospital.
Catch HIPAA privacy breaches before your customers complain. Download a white paper on HIPAA breach detection service that proactively identifies breaches of patient privacy, even those using stolen passwords - with no hardware and no on-site software.

A time consuming and exhaustive examination of radiology application's access logs eventually revealed the culprit based on his Internet Protocol (I.P.) address.

The doctor and the Connecticut Medical Examining Board worked out an agreement the doctor and which was formally presented and accepted by the examining board on June 19, 2012.


Sources:
(a) Local Doctor Fined $20,000 - Valley Independent Sentinel, June 19, 2012
(b) Griffin Hospital Notifies Patients of Breach of Protected Health Information - Hospital website, March 29, 2010
(c) Update: Griffin Hospital Data Breach - Valley Independent Sentinel, March 29, 2010
(d) Patient data breach at Griffin Hospital - News 8 wtnh.com, March 29, 2010

Friday, June 22, 2012

Hospital Fined Over $350,000 for Violation of Data Protection Act

The Belfast Health Trust was fined £225,000 (US $350,707)by the Information Commissioner's Office (ICO) for what the ICO called a serious patient data privacy breach.

The ICO determined that the healthcare trust failed significantly in its duty to its patients. They announced the fine as an example for all organisations about the need to keep personal data secure.
"The severity of this penalty reflects the fact that this case involved the confidential and sensitive personal data of thousands of patients and staff being compromised." - Ken Macdonald, ICO's Assistant Commissioner
Medical files were stolen from a hospital in Belfast and posted online. The private data included sensitive information such as medical records, X-rays, lab results and staff records including unopened payslips.
"It is money we can ill afford." - DUP minister
Kieran McCarthy, Alliance MLA, announce the failure to secure patient records was a horrendous mistake and the large fine something the healthcare organzation can ill afford to pay.

Sources:
(a) Belfast Trust fined over data breach - UTV News, June 19, 2012

Tuesday, June 19, 2012

707 Patients' Medical Records Compromised by Single Rogue Employee Due to Insufficient Privacy Breach Detection

An employee of a hospital in Nova Scotia, Canada was fired for inappropriately accessing patient medical records. After a co-worker raised a concern to the employee's manager, the hospital performed an exhaustive audit covering the past 2 years.

The time-consuming audit of application logs in the electronic medical records (EMR) and other clinical systems revealed the employee had viewed the 707 patient records without authorization or a valid reason.
"Even if it's one or two people whose information was accessed inappropriately, that would be too much." - Fraser Mooney, a spokesman for hospital
Better Privacy Breach Detection Needed
Accoding to the CEO's appology leter the hospital "does regular audits of access to electronic health records and we use auditing software to help identify any possible cases of unauthorized or inappropriate access to patient information". Given that the employee privacy breaches went detected for 2 years the hospital's current solution appears to be inadequate. Moreover, the privacy breach was discovered by a suspicious co-worker and not discovered by their privacy breach detection software.
Download a white paper on patient privacy breach detection that works. Learn how to proactively identify unauthorized breaches of patient data privacy, when they happen not 2 years later - with no hardware and no on-site software.
The hospital has notifyed and apologized to hundreds of patients whose privacy rights were violated. Interestingly the hospital refused to provide the name of the former employee and said it had no plan to pursue criminal charges against him or her.

This is the second major privacy breach in one of Nova Scotia's health districts this year. A previous privacy breach involved over 120 patients at a different hospital that works.

Sources:
(a) 707 patients notified of privacy breach at Roseway Hospital - Global Maritimes, June 14, 2012
(b) South West Health CEO issues statement on policy breach - The Yarmouth County Vanguard, June 15, 2012

Monday, June 18, 2012

Electronic Health Records are a Game Changer for Patient Privacy Rights

Here is one of the most interesting comments made by speakers at the "2nd International Summit on the Future of Health Privacy" organized by Patient Privacy Rights .

All 40 leading health-privacy experts at the conference in Washington, DC supported the thesis that the stakes are high when it comes to electronic medical records and privacy.
"Electronic technology is a game changer, legally, because the damage that can be done to someone is perpetual and the damages that can be awarded are incalculable." - James Pyles of law firm Powers, Pyles, Sutter, & Verville
About Patient Privacy Rights
Patient Privacy Rights (PPR) works to empower individuals and prevent widespread discrimination based on health information using a grassroots, community organizing approach. For more see: patientprivacyrights.org
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Experts discuss technology and privacy protections at 2nd International Summit on the Future of Health Privacy - Patient Privacy Rights website, June 8, 2012

Friday, June 15, 2012

50% of Healthcare Providers to Add or Replace Business Intelligence Solution Over Next 3 Years

Over the next 3 years, about half of healthcare providers are planning to buy or replace their business intelligence (BI) solutions, according to the report "Business Intelligence Perception 2012: A Wave is Coming" by KLAS.

Some are using a ”hybrid strategy” of multiple BI vendors. “Seventeen percent of the customers we spoke with said that they are using multiple BI solutions to meet various departmental and reporting needs,” stated author of the report Joe Van De Graaff. “And that number is likely to grow.
"If hospitals can’t produce data analytics in the next couple of years, they are going to suffer. As far as I am concerned, data is money in the future." - CIO interviewed for survey
About KLAS
KLAS is a research firm specializing in monitoring and reporting the performance of healthcare vendors. Working together with executives from over 4,500 hospitals and over 2,500 clinics, KLAS delivers timely reports, trends, and statistics, which provide a solid overview of worldwide vendor performance in the industry.
Learn how Veriphyr Identity and Access Intelligence delivers business insights - with no hardware and no on-site software.
Sources:
(a) BI Perception 2012: A Wave Is Coming - KLAS Research, April 27, 2012

Thursday, June 14, 2012

Insurance Firm Urges Policy Holders to Request an 'Accounting of Disclosures'

Nationwide insurance is recommending policyholders "request an accounting of disclosures" from their healthcare provider. The suggestion is part of the insurers "Tips for Protecting Medical Identity".

The advice stems from Nationwide's national survey on Medical Identity Theft that reveals adults with health insurance are more vigilent about monitoring their credit report for financial identity theft than monitoring their medical records for medical identity theft.
"A stolen medical identity has a $50 street value -- whereas a stolen social security number, on the other hand, only sells for $1." - Kirk Herath, Nationwide Chief Privacy Officer
The survey reveals that awareness of medical identity theft is now where financial identity theft was a few years ago. So insurers and other interested parties are taking the lead to educate consumers - and a key part of that is teaching consumers to monitor who is accessing their medical records.

So while healthcare compliance officers reportedly have historically only fielded a few requests for an accounting of disclosures, there is a movement by insurers to drive up the number of requests into the future.

This is a problem for healthcare organizations because the Department of Health and Human Services (HHS) has proposed greatly expanding the type of disclosures healthcare providers would have to track and report on. Healthcare organizations are objecting that this will dramaticaly increase their administrative overhead, especially if, as suggested by Nationwide Insurance, patients were to routinely request an accounting of disclosures.

Download a white paper on a service that could slash the effort to provide an accounting of disclosures. Learn how to effectively track and report on all access to a patients electronic medical records - with no hardware and no on-site software.
It costs about $20,000 and takes 4-6 months to resolve a medical identity theft based on information from actual victims. - Nationwide Insurance
Sources:
(a) Nationwide Insurance consumer survey shows need to educate, take precautions to protect your credit and your health - Nationwide Insurance Press Release, June 13, 2012
(b) HHS releases new draft accounting of disclosure rules - Health IT Exchange, May 27, 2011

Wednesday, June 13, 2012

HHS Audit Finding - User Activity Monitoring "In Need of Improvement"

The HHS Office of Civil Rights made some significant points in presentions at the Safeguarding Health Information: Building Assurance through HIPAA Security Conference in Washington, D.C. (co-hosted by OCR and the National Institute of Standards and Technology),

Director of the HHS Office of Civil Rights Leon Rodriguez emphasised that OCR has significantly raised their expectations of compliance by covered entities and their business associates.
HIPAA enforcement agencies’ tolerance for noncompliance with HIPAA is “much, much lower” than in years past. - Leon Rodriguez, Director of the HHS Office of Civil Rights
Senior OCR advisor Linda Sanches gave an initial report on the first 20 OCR audits. User activity monitoring was highlighted areas much in need of improvement, as was contingency planning. Overall, largest number of problems were discovered in in security protections.
Download a white paper on user activity monitoring . Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) OCR Director Leon Rodriguez Says Tolerance for HIPAA Non-Compliance Is Low - Privacy and Information security Law Blog, June 7, 2012

Monday, June 11, 2012

Medical Technician Sold Patient Data for Over a Year

A medical technician in the general surgery department of a D.C. university hospital was charged with selling patients’ names, addresses, dates of birth and Medicare numbers to an outside party. The insider theft of individually identifiable health information went on for 16 months before it was detected and stopped.

Beth Givens of the consumer advocacy group Privacy Rights Clearinghouse told the Washington Times that she was particular concerned that the crime went undetected for well over a year.
"That the illegal sale of personal information could be allowed to go on for that long strikes me as an indication that the internal auditing practices of the hospital were lacking." - Beth Givens, director of the nonprofit Privacy Rights Clearinghouse
Catch patient privacy breaches when they happen. Download a whitepaper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Neither the court nor the hospital provided any information on how much money the medical technician received or what the buyer did with the information.

The medical technician was charged with one count of wrongful disclosure of individually identifiable health information. If convicted she faces a sentence of up to 10 years in prison because the violation involves selling the information for money.

Sources:
(a) Howard University Hospital worker accused of selling health records - The Washington Times, May 15, 2012

Sunday, June 10, 2012

Regulatory Compliance is Most Significant Concern of CIO at Top Tier Hospital

The Chief Information Officer at Harvard Medical School has a insightful blog called "Life as a Healthcare CIO". I highly recommend following his posts to anyone involved in healthcare information technology.

Recently he shared his thought on his most significant concerns. In his role as a clinician and informatics leader he is focused on the need to increase the value (quality/cost) of the services his organization provides. But in his role as CIO he has a very different focus.
"As a CIO, it's the mounting regulatory and compliance pressures that keep me up at night." - John Halamka, CIO Harvard Medical School
He observes that regulatory compliance will require a level of resources and focus that will reshape his plans for the next year or longer and provides a rundown of his projects for this summer, his "Summer of Compliance".
"Over one third of my budget is for security and compliance related projects." - John Halamka, CIO Harvard Medical School
Background: John D. Halamka, MD, MS, is Chief Information Officer of Beth Israel Deaconess Medical Center, Chief Information Officer at Harvard Medical School, Chairman of the New England Healthcare Exchange Network (NEHEN), Co-Chair of the HIT Standards Committee, a full Professor at Harvard Medical School, and a practicing Emergency Physician.

Sources:
(a) The Summer of Compliance - LIFE AS A HEALTHCARE CIO, June 6, 2012

Saturday, June 9, 2012

New York State Employee Sold Personal Information from State Systems to Identity Thieves

Another case of a government employee selling sensitive information about citizens to criminals. In this case, an employee of the New York State Office of Children and Family Services sold personal information about multiple people to an outside party that used the information for identity theft.

The government employee's breach of data privacy was discovered when one of the identity theft victims reported to the local police that a credit card was opened in her name.

The District Attorney’s Office and investigators from the Federal Bureau of Investigation (FBI) followed a trail that eventually led back to the state employee.
"Identity theft is a serious crime that can have lasting negative effects on victims. An observant resident who reported identity theft and criminal impersonation to police led to the uncovering of a larger scheme that involved gross misuse of personal identifying documents." - Albany County District Attorney P. David Soares
The rogue employee was arraigned on one count of receiving a reward for official misconduct in the second degree. She is being held in lieu of $20,000 bail.
Download a white paper on privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) ID theft sting nabs state employee - Empire State News, June 8, 2012

Friday, June 8, 2012

Identity and Access Intelligence Article in Network World

Network World has a great article covering Identity and Access Intelligence (IAI) by Brian Musthaler. The article discusses how IAI helps highly regulated organizations enhance privacy, assure compliance and reduce risk.

Brian also talks about how Identity and Access Intelligence can specifically address patient privacy issues in healthcare and talks about one hospital who is moving forward with IAI to improve and simplify the hospital's privacy breach detection and user access compliance services
"By analyzing actual activity rather than expected activity and access information from directories, applications, systems, and policy repositories, Veriphyr will provide Gillette intelligence that we need to prevent data leaks and privacy violations." - Paul Higby, Gillette Children's Specialty Healthcare
Lean more about Identity and Access Intelligence or download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Identity access intelligence solutions pinpoint access privilege abuse - Brian Musthaler, Network World, June 8, 2012

Thursday, June 7, 2012

Nova Scotia Healthcare Worker Violated Privacy of 120 Patients Over 6 Years (Update)

We have an update on the employee of Nova Scotia's largest health board who admitted to breaching the privacy of 120 patients over 6 years.

After her story became public she went on television to appologize for viewing the private medical files of family and friends by saying "I'm not particularly proud of what I've done. I know it was wrong".
"When asked why she looked at the files, she said, "Plain and simple, the information was there. So easy." - health board Employee
We now know the healthcare organization started an investigation when the perpetrator made an off-hand remark to a nurse about checking her father's records and the nurse reported the breach.

The patient data privacy breaches were accomplished in spite of all the policies and systems put in place to prevent it.
"If someone is going to disregard policy and access records inappropriately, we can't block that in the end." - John Gillis, spokesman for the organization
But you can effectively catch people who disregard policy and access records inappropriately. Download a a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

The employee's estranged sister-in-law, doesn't buy the apology or the explanation. She said, "We feel from a civil point of view that [Health Board] hasn't done due diligence. They were aware that [the employee] was looking into our medical files and copying, printing and taking home for years and it has done absolutely nothing to stop it."
"If [the health board] was to do a full audit on all employees, it'd be hard to find a few that had never at one point or another, that never did this." - health board Employee
11 of the patients whose medical privacy was violated others are planning a lawsuit against the health board.

Sources:
(a) Former Capital Health worker sorry for privacy breach - CBC News, February 14, 2012
(a) Capital Health doesn't look for privacy breaches - CBC News, February 16, 2012

Wednesday, June 6, 2012

51% said Data Breach Might or Will Cause Them Stop Dealing with Breached Organization

According to a survey conducted by the Ponemon Institute data breaches have a negative effect on an organization's relationship with its customers or patients.

After being notified about a data breach by an organization, 15% say they will terminate their relationship, 39% say they will consider severing the relationship, and 35% say the decision to terminate a relationship will dependent on the organization not having another data breach.
85% said "Organizations that fail to protect my personal information are untrustworthy"
Personal data respondents worry most about if lost or stolen
Source: "2012 Consumer Study on Data Breach Notification" by Ponemon, 2012
Download a white paper on privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
About the Survey
The survey was conducted by the Ponemon Institute and sponsored by Experian to examine consumer attitudes and experiences with breaches in various industries. The Web-based survey had 2,832 respondents, 708 of whom said they had experienced some type of breach of their personal information.

Sources:
(a) 2012 Consumer Study on Data Breach Notification - Ponemon and Experian, June 2012 (Registration Required)

Tuesday, June 5, 2012

Yet Another Patient Privacy Breach Due to Employee 'Snooping' Medical Records in the UK

A staff member may have 'inappropriately' accessed medical records at a medical group in the UK. The data breach only became public because after the organization sent letters to patients apologising for the breach.

One patient angerly complained that the practice would not explain why the perpetrator accessed the records or specify what had been done with the patient data. She were only told that person who did it had been dealt with, but not fired.
"I will be looking into moving to another practice." - Patient of the medical group
The practice has not disclosed how long the employee had been 'snooping' on patient records, how the snooping was discovered, or how many people had been affected.

A statement issued said: “Our patients can be reassured that there has been a thorough investigation and appropriate response and can continue to have the utmost confidence in the service they receive from the practice.”
"I know staff have some access to records, but why was someone looking at mine repeatedly and ‘inappropriately'?" - Patient of the medical group
Asked to explain what it meant by ‘inappropriate’, the medica group's spokesperson said the level and pattern of access to records was deemed inapproptriate. In healthcare 'inappropriate' is typically used to describe an employee accessing data of patients who are not under their care or who are outside their responsibilities.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Breach of privacy at Cupar GP practice - Fife Today, June 3, 2012

Monday, June 4, 2012

Police Officer Bribed to Provide Personal Information from Police Computers

A police detective has been charged with unauthorized use of a computer and breach of trust for providing personal information on citizens to people not authorized to receive it.

The officer was paid by a cash loan company to provide name, address and phone numbers of 10 delinquent borrowers over a 17 month period. This is known as 'skip tracing' and is something police officers are prohibited from doing.
"Every member of our service when they start signs a confidentiality agreement. Every member of our service knows that accessing databases is for police use only."
- Kevin Brookwell, Police spokesman
The 21-year veteran of the Calgary police, has been relieved from duty with pay. The Calgary police department is in the process of notifying those whose information was allegedly accessed illegally.

UPDATE TO STORY: Further investigation of court documents obtained by the press revealed that the police officer has more than $143,000 in debt and recently filed for bankruptcy.

As well, the officere was the primary investigator in a case involving an employee of the cash loan company that paid him for the sensitive information. A former executive assistant for the cash loan company , said the officer targeted her and she was later charged with fraud. That case has been damaged by the revelation that the officers did skip tracing for the firm.
Download a white paper on privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Calgary detective charged in alleged privacy breach - CBC News, May 2, 2012
(b) Detective facing trust charges is under heavy debt load - CBC News, May 11, 2012

Sunday, June 3, 2012

Patient Privacy Breach Audit Catches Healthcare Worker Improperly Peeking at Patient Records

43 people had their privacy breached by a government health worker who was caught improperly viewing patient records. The employee had access to health insurance information such as client names, addresses, birthdates, health information and social insurance numbers.

The company has not disclosed how long the employee had been 'snooping' on patient records and claimed "the risk is really low level because it looks like he or she was accessing the information out of curiosity but not for any fraudulent activity.
"I would like to know - is this an isolated incident? Has it happened in the past?"
- NDP health critic Mike Farnworth
The employee worked for a firm that has a contract with the government to run its Victoria-based Health Insurance B.C. office. The company said they discovered the breach as part of a patient privacy breach audit. The employee was suspended immediately and then fired after an investigation was completed.

Vincent Gogolek, executive director of the Freedom of Information and Protection of Privacy Association, said future data privacy breaches would be a bigger risk when the government its eHealth electronic records initiative and Integrated Case Management system, in which vast amounts of personal information will be stored within a single computer system.
Download a white paper on patient privacy breach audits. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) 43 hit by privacy breach, Maximus worker fired - Times Colonist, June 2, 2012

Saturday, June 2, 2012

Patients Records Stolen for Identity Theft by Miami Beach Hospital Employee

An hospital specimen control clerk is accussed of stealing 340 patient records, including their Social Security numbers, birthdates, names, and other personal information.

No information is available on how long she had been stealing patient records, nor how many people are victims of her identity theft.
[She] had no lawful reason, nor did she have authorized access, to view or print these patient records." - U.S. Attorney for the Southern District of Florida
The employee who worked at a hospital in Miami Beach, Florida, came under suspicion when she was stopped for reckless driving and the police found 11 computer screen printouts from the local hospital. She had clearly written “Duplicate SS” and “IRS Accepted” on on the printouts.

The Internal Revenue Service’s Identity Theft Task Force then pursued the case and traced the printouts back to the hospital's computer systems. The clerk was then arrested on a charge of knowingly transferring, possessing and using, without lawful authority, the personal identification of another with the intent to commit a violation of federal law that also constitutes a felony under State and local law.
Download a white paper on patient identity theft detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) IRS Identity Theft Task Force Arrests Mount Sinai Hospital Employee for Allegedly Stealing Patient Records - United States Attorney for the Southern District of Florida, May 31, 2012
(b) Hospital specimen clerk in Miami Beach charged with theft of patients’ IDs - The Miami Herald, May 31, 2012

Friday, June 1, 2012

Police Detective Gave Criminals Sensitive Data Stolen from Police Computers

A Montreal homicide detective was found guilty of inappropriately accessing police systems to collect personal information and give it to criminals.

The police system is knows as "le Centre de renseignements policiers du Qu├ębec (CRPQ)" and it contains a wealth of sensitive information including licence-plate numbers, addresses and criminal records.

A police informant provided the initial lead that an police officer was providing organized crime with information from the CRPQ system.

To verify the allegation, the investigators used audit logs to find searches under the suspect password and identified searches done on a government vehicle that wasn’t on the road that day and was not implicated in any incidents.

He was convicted of accessing the police system between December 2008 and June 2009 for reasons other than legitimate police work.
Learn how Veriphyr Identity and Access Intelligence delivers insights into insiders stealing sensistive data - with no hardware and no on-site software.
Sources:
(a) Montreal homicide detective guilty of passing data to criminals - The Montreal Gazette, May 26, 2012

Child Identity Theft Due to Data Breaches

Jennifer Dennard has written an article that provides context to my company's donation of privacy breach detection services to Gillette Children’s Specialty Healthcare .

The article brings up some interesting points about children and identity theft. One of the article she references has a quote I thought was worth repeating here.
"Kids don't know they're ... victims. Their parents don't know they're ... victims, because they're not out there engaging in credit transactions. They're not going to know that someone's opened a credit line using their number, so child identity theft can permeate for years before it's ever discovered." - Utah Assistant Attorney General Richard Hamp
BTW - A recent Carnegie Mellon University study on over 40,000 children found that over 10% of them were victims of identity theft.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Veriphyr HIT Gives Littlest Victims of Patient Identity Theft a Fighting Chance - NPR, May 23, 2012
(b) Identity Theft: 'Kids Don't Know They're Victims' - EMRandEHR.com, May 24, 2012

Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.