Friday, June 28, 2013

Info on 9,000 Patients Taken by Former Optometry Employees

The private and medical information of 9,000 patients was allegedly stolen by former employees of Sight and Sun Eyeworks in Gulf Breeze Florida.

Reportedly a doctor and an office manager copied all or parts of the optometry practice's EHR system and used the patient information to market their new employer's services, "in some cases going into Sight and Sun's EHR system to change appointments to the new employer." Sight and Sun has notified 9,000 patients about the unauthorized access,

"the practice learned that its patients’ personal information, including name, address, Social Security number and medical record had been accessed inappropriately. ... All or part of its patients’ medical records were copied." - Sight and Sun Eyeworks
Sight and Sun believes the records were inappropriately accessed and copied to offer other medical service, not for identity theft. However, the 9,000 patients were notified to monitor financial statements for signs of identity theft or fraud.

It's unclear how the Sight and Sound's EHR was being monitored for inappropriate access and changing of appointments. Healthcare organizations can now proactively detect such inappropriate access and activity with low-cost on-demand SaaS analytics services.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Healthcare Privacy Thieves Deserve No Mercy - www.FierceEMR.com, 06/27/13

Thursday, June 27, 2013

One Hour to Report a Breach?

In the recently released proposed rule governing state health insurance exchanges is the requirement to report a breach within one hour of discovery. This has caused a number of consultants and attorneys to express varying opinions on this time frame.

While some may think this is an excessive demand, given that HIPAA gives covered entities 60 days for breach notification, it is not without precedent. Privacy attorney Adam Greene, a partner at Davis Wright Tremaine, points out that it is a federal requirement to report unauthorized access to a federal system within one hour.

"We considered but declined to use the definitions for [incident and breach] provided under the HIPAA regulations because the protected health information that triggers the HIPAA requirements is considered a subset of PII, and we believe that the HIPAA definitions would not provide broad enough protections to satisfy the requirements under the Privacy Act of 1974."
- Proposed Rule about Privacy and Security for Health Insurance Exchanges
Others, such as independent security consultant Tom Walsh, feel a 60 minute breach reporting rule is unrealistic. He said "it differs from some state laws" and that one hour limit could create errors in conducting an investigation. What do you think? Is 60 minutes and unreasonable to report discovery of a breach? If unreasonable what time frame do you think reasonable?
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) 60 Minutes to Report a Breach? - www.HealthInformationSecurity.com, 06/27/2013

Wednesday, June 26, 2013

Healthcare Can Save $11 Billion with IT-as-a-Service

By adopting IT-as-a-Service (ITaaS), healthcare providers could reduce costs by $11 billion (9%), over three years, according to a survey of College of Healthcare Information Management Executives (CHIME) members.

Ninety percent of healthcare IT executives believe IT innovation is key to their organization’s success and estimate that almost half of current portfolio can be delivered by ITaaS.

"32% of hospital IT will be delivered as a service on private, hybrid or public clouds in the next three years, up from 15% today." - FierceHealthIT
IT executives in healthcare have primarily (87%) purchased software or applications as a service, such as visualization and privacy breach detection.

Using low-cost on-demand SaaS analytics for proactive privacy breach detection and user access compliance allows them to achieve their goals of Stage 2 Meaningful Use, preparing for accountable care and improving information security.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) CHIME execs: IT-as-a-service could save $11 billion - FierceHealthIT, 06/24/2013

Tuesday, June 25, 2013

Prison Sentence for Patient ID Theft

Cristobal Raul Puig, who stole patient information as part of a tax fraud scheme, was sentenced to 31 months in federal prison.

Puig illegally purchased patient information from an employee of West Kendall Baptist Hospital. He used their names, dates of birth and Social Security numbers to file fraudulent tax returns.

"Puig illegally purchased patient information from an employee of West Kendall Baptist Hospital." - www.BizJournals.com, 06/24/2013
Breaches of patients' private information can now be detected proactively with low-cost on-demand Saas analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Man who stole Baptist Health patient information sentenced to prison - www.PHIprivacy.net, 06/25/2013

Monday, June 24, 2013

IT/EMRs Investment Priority For Hospitals

Healthcare providers of every size are investing in IT.

A HealthLeaders Media Capital Funding Buzz Survey (11/12) found "68% of respondents indicated healthcare information systems (including EMR) and IT infrastructure will be a top-three priority for capital investments in the next 12–18 months, surpassing the No. 2 priority (upgrading existing facilities) by 21 percentage points."

Most healthcare providers believe enhancing collection and use of patient data is the best strategy for better care delivery.

""We'll spend $61 million implementing a new computer system—electronic medical record—it's our biggest single expenditure," says John Heye, senior vice president for finance and CFO at Maine Medical Center, a 600-bed hospital in Portland. ."
- John Heye, SVP Finance and CFO at Maine Medical Center, a 600-bed hospital in Portland
Partners HealthCare, a $9 billion healthcare organization in Boston is developing and implementing an EMR that may take 10 years to complete and cost $600–$700 million. Peter Markell, Partner's CFO, says "Having a focus on population health management, data access, and network development has become critical to meeting the needs of patients at the right site at the right time."
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Why Putting Capital Into EMR is a Smart Move - www.HealthLeadersMedia.com, 06/11/2013

Thursday, June 20, 2013

Hospital Employee Fired for Snooping in Patient Records

Ephrata Community Hospital has a privacy notice on their site stating an employee was fired for accessing patient records that were "outside the employee's job duties."

While the hospital noted that no social security numbers or financial information was accessed, they confirmed the employee viewed some patients' electronic medical records and may have accessed clinical information.

"The hospital did not respond to emails...asking them when the improper access first began, how the hospital discovered or learned of the breach, the department the employee worked in, and the number of patients affected." - PHIprivacy.net
What remains unclear is when the inappropriate access started and how the hospital learned about the snooping. Often organizations are alerted to insider breaches by a third party, rather than via proactive detection. Proactive breach detection is now available as low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) PA: Ephrata Community Hospital Fires Employee for Snooping in Patient Records - www.PHIprivacy.net, 06/18/2013

Wednesday, June 19, 2013

Study: 82% Mexicans "Very Concerned" about Data Breaches

A study by Unisys found 82% of Mexicans were "very concerned" about breaches of their personal data held by various organizations.

Their concerns about breaches was highest for banks (91%), followed by healthcare (86%). Regarding healthcare, concern about breaches has increased as more medical facilities are utilizing electronic health records.

"The highest level of concern was related to data breaches in banks, with 91% of respondents claiming to be very concerned regarding this risk, followed by 86% for healthcare organizations, 85% for government agencies, 80% for telcos and internet service providers, and 71% for airlines and hotels."
- BN Americas
Despite efforts by the Mexican government and other organizations to secure data consumers' anxiety persists. Among ways organizations can ally consumer concerns and protect data is with low-cost on-demand SaaS privacy breach detection.
Download a white paper on data breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Some 82% of Mexicans "very concerned" about potential personal data breach - study - www.bnamericas.com, 06/18/2013

Tuesday, June 18, 2013

Must Privacy Breaches Require "IT Gymnastics"?

A privacy breach of diagnostic images and personal information on 500 patients was reported by a Canadian hospital.

The breach was the result of a staff physician sharing his username and password with a physician not affiliated with the hospital. While physicians often share information with others in the course of providing care there are regulations that must be complied with to protect patient confidentiality. In this case it seems regulations were not followed and the Information and Privacy Commission of Ontario is investigating.

"The privacy breach was discovered in early April and it took multiple gymnastics from an IT perspective to be able to come up with a list and determine to what extent and when it began."
- Andree Robichaud, CEO Thunder Bay Regional Health Sciences Centre
The hospital CEO noted "multiple gymnastics from an IT perspective" were needed to determine when the breach began and its extent. IT gymnastics can be eliminated by using Identity and Access Intelligence (IAI), SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Hospital Apologizes for Data Breach - www.seclists.org, 05/28/2013

Monday, June 17, 2013

Hospital Worker Steals 1,000 Patient IDs

Federal law enforcement alleges that hospital worker Curtis Fullwood stole the identities of more than 1000 psychiatric patients.

Mr. Fullerton's job was to assist mental patients find work but he has been accused of taking their identity information from hospital computers and then filing fraudulent tax returns.

"Fullwood obtained patients' information by illegally using computers at the Pembroke Pines psychiatric hospital to steal the identities of people who were admitted for treatment." - SunSentinel
It is unclear if the hospital knew about the identity thefts or if they first learned about the patient privacy breach from federal law enforcement. Healthcare organizations can utilize low-cost on-demand SaaS analytics services to proactively detect theft of patients' private information.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Psychiatric patients' IDs stolen by hospital worker, feds say - Sun-Sentinel, 06/11/2013

Friday, June 14, 2013

Private Rx Info Breach at State Database

Florida's E-FORCE program was "to encourage safer prescribing of controlled substances and to reduce drug abuse and diversion within the state" but as some feared it has put private health data at risk.

The ACLU of Florida said “The private medical information of more than 3,000 Floridians — namely what prescription drugs they take, the dosage, their date of birth, address and the name of the pharmacy that dispensed the prescription, ended up in the hands of third parties who simply have no legal right to know which law-abiding citizens are taking which prescribed medications."

"None of the 3,300 individuals involved either gave their consent or was notified of the release. The violation only became known when one individual unrelated to the criminal investigations became aware of the privacy breach."
- FloridaWatchdog.org
Supposedly the E-FORCE program must comply with federal and state privacy laws and regulations; if this is the case then an "accounting of disclosures," a report of what patient data and to whom it was released, should be available.

This type of tracking and reporting is now fast and easy to obtain using low-cost on-demand SaaS analytics services.

Download a white paper on accounting of disclosures of medical records. Learn how to identify to whom private patient was disclosed - with no hardware and no on-site software.
Sources:
(a) Floridians see private Rx info leaked from state database - www.FloridaWatchdog.org, 06/13/2013

Thursday, June 13, 2013

Prime Healthcare Violates Patient Privacy, Fined $275K

Prime Healthcare Services has agreed to pay $275,000 to settle a federal case alleging violation of patient privacy by the CEO of the Shasta Regional Medical Center (owned by Prime).

Additional fines related to this matter were imposed by the California Department of Public Health (DPH), $95,000 for violating patient confidentiality, plus $3,100 for not reporting the breach to the state and the patient in a timely manner.

"The federal Office for Civil Rights, which investigated the matter, declined to comment in detail on the settlement until the company made the $275,000 payment."
- Los Angeles Times, Money & Co., 06/11/2013
Breaches of patient privacy by "insiders" can be detected using low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Prime Healthcare Pays $275K To Settle Federal Patient Privacy Case - www.CaliforniaHealthline.com, 06/12/2013

Wednesday, June 12, 2013

2013 Breach Cost Study: Healthcare Highest at $233/Person

The 2013 Cost of Data Breach Study, conducted by the Ponemon Institute, found the average global cost of a data breach was $136 in 2012, a $6 increase over 2011. For financial services and healthcare organizations, which hold more personally identifiable information, the cost was $215 and $233 per person, respectively. For example, $233,000 if 1,000 patient records are inappropriately accessed at a healthcare facility.

Mr. Ponemon said that regulations initially mean higher breach related expenses but eventually could save companies money.

"Healthcare and financial services companies maintain more personally identifiable information on their servers than enterprises in other sectors."
- Larry Ponemon, Ponemon Institute
An approach to data breaches that can save organizations money initially as well as long term is low-cost on-demand SaaS detection analytics services.
Download a white paper on data privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Regulations' Impact on Data Breach Costs - www.BankInfoSecurity.com, 06/11/2013

Tuesday, June 11, 2013

Drug Bust Uncovers Patient Privacy Breach?

A drug bust recovered personal information on 4,500 Sutter Health patients; patients' names, Social Security numbers, birthdates, genders, addresses, zip codes, marital status, employer names, and home/work phone numbers may have been exposed.
"..cannot yet disclose how or where the information was obtained because of the ongoing investigation ." - Stacey Wells, Sutter Health
As this breach was just announced we'll post more details as they become available. However, it seems the hospital was unaware of the breach until law enforcement brought it to their attention. Organizations can now proactively detect privacy breaches with low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Sutter Health Acknowledges Security Breach - eSecurityPlanet.com, 6/10/2013

Monday, June 10, 2013

Medical Data Sharing Benefits, Better Privacy Required

A study by the Institute of Medicine found that electronic sharing of patient data collected during healthcare visits could contribute to improving care for the entire population.

Michael Murray, lead author, said "We are missing a tremendous opportunity to turn our health care system into one that learns from each care experience and leads to better and more affordable care for all." But he also noted the public must know their privacy is assured, otherwise they will be less willing to allow their data to be used in health research.

"Electronic sharing of patient data would require stronger security measures to protect patient privacy" ."
- Michael Murray, Regenstrief Institute and Purdue University
Interestingly, identity and access intelligence (IAI) can contribute to both the issues Mr. Murray mentioned. Now available as low-cost on-demand SaaS services, these big data analytics can yield insights into interactions between healthcare workers and patients as well as be utilized to detect data privacy breaches.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Learn how Veriphyr Identity and Access Intelligence delivers clinical insights - with no hardware and no on-site software.
Sources:
(a) Data from routine medical visits can improve care for all - FierceHealth IT, 04/18/2013

Friday, June 7, 2013

EHR Incentives $14.6 Billion

According to Robert Anthony, deputy director of the HIT Initiative Group at the Centers for Medicare & Medicaid Services’ Office of E-Health Standards and Services, the federal government had paid $14.6 billion in EHR incentives by the end of April 2013.
"More than 77 percent of hospitals have been paid under the program, and registration for eligible providers continues at 75 percent. Three out of every four eligible hospitals have made a financial commitment to an electronic health record."
- Healthcare IT News
Anthony reported that the data through April show that 194,080 providers and 2,977 hospitals are meaningful users of EHRs.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) $14.6 Billion in MU Incentives Paid - www.HealthcareITnews.com, 06/06/2013

Thursday, June 6, 2013

Healthcare Seeks Data Analytics Workers

By 2018 the shortage of healthcare analytics workers could reach two million, according to a McKinsey & Co. study. This is reminiscent to the issues faced in other industries during the tech boom in the late '90s.

PwC's Healthcare IT Practice leader Daniel Garrett notes "fifty to sixty percent of CEOs say they're concerned that they don't have the skills required to execute the strategy that they just created."

"The competition for workers with high-tech analytics skills has ... accelerated partly because of new ... patient-monitoring requirements for hospitals, doctors and physician groups under the Affordable Care Act, also known as Obamacare."
- Bertha Coombs, CNBC reporter
To cope with the shortage of data analytics workers healthcare organizations are utilizing low-cost on-demand SaaS analytics services to meet their needs for intelligence from their clinical and business data.
Learn how Veriphyr Identity and Access Intelligence delivers clinical and business insights - with no hardware and no on-site software.
Sources:
(a) Filling the Skills Gap: Health Care Looks for More Data Workers - www.cnbc.com, 05/23/2013

Wednesday, June 5, 2013

10 Years in Prison for Patient Identity Thief

A Montgomery Alabama woman, Rhashema Deramus has been sentenced to 10 years in prison for using Troy Regional Medical Center (TRMC) patient information to file fraudulent tax returns.

Ms. Deramus purchased the stolen identity information from Angeline Austin, who worked for a company that processed TRMC data; Ms. Austin was sentenced to 65 months in prison (we previously wrote about this case).

"Deramus and her associates stole 881 identities, including names, dates of birth and social security numbers, from TRMC and then used the stolen information to file tax returns."
- US Department of Justice
There is no indication that the medical center was aware that patients' privacy had been breached until law enforcement notified them as part of the tax fraud investigation. Rather than learn of breaches from law enforcement, organizations can now utilize low-cost on-demand SaaS analytics for proactive detection of data privacy breaches.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Woman involved in hospital identity theft sentenced to 10 years - www.PHIprivacy.net, 05/23/2013

Tuesday, June 4, 2013

Penalty Too Lenient in UK Medical Data Theft?

Paul Hedges, a UK community fitness center health manager, stole medical information about 2471 clients to assist in establishing a business of his own. Prosecuted under the UK Data Protection Act, he was fined £3000, as well as a £15 victim surcharge and £1376 prosecution costs.

The consequences of this insider breach do not seem severe enough to a number of parties.

"Should a data controller have no responsibility for preventing an insider breach other than issuing login credentials to those authorized to access a database? What’s reasonable to expect of data controllers?." - PHIprivacy.net
For example, UK Information Commissioner Office's (ICO) Christopher Graham said “This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behavior of this kind should be recognized as a ‘recordable offense’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available."

In the US such a case, according to PHIprivacy.net, would have “exceeding authorized access,” as well as criminal, charges, since this theft of sensitive information was for financial gain. What is your opinion? Do you agree with the ICO that financial penalties only will not deter data thefts?

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) UK: Man made redundant fined for stealing sensitive information - www.PHIprivacy.net, 05/23/2013

Monday, June 3, 2013

Bank Teller Identity Theft

A Philadelphia bank teller accessed customers' accounts to obtain information such as social security number, date of birth. He then sold the information which was used to create counterfeit checks, payable to victims and cashed using the stolen identity information.

The fraud loss for this scheme is estimated to be over a quarter of a million dollars.

"Jewell-Wright obtained the addresses, Social Security numbers, and account bank balances for some of Wachovia’s customers which he then sold." - Private Officer News
Of course bank tellers must have access to customer accounts in order to do their jobs, but determining if access activity is appropriate is critical for uncovering fraud. There are now low-cost on-demand SaaS analytics that can detect inappropriate access to customer data, even by authorized users.
Download a white paper on customer data privacy breach detection. Learn how to proactively identify unauthorized breaches of customer data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Philadelphia Bank Teller’s Theft from Customer Accounts Leads to Criminal Charges - Private Officer News, 06/02/2013

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.