Monday, September 30, 2013

Employee Stole Patient Data for Tax Refund Fraud

An employee of a Maryland healthcare organization stole patient data for a tax fraud scheme.

In the federal indictment, the healthcare organization stated they believed the improper access occurred between October 11, 2011 and August 8, 2012; their internal investigation did not determine how the employee was able to access the information.

"The employee was being criminally charged for having improperly accessed the protected health information of an unspecified number of their patients. The data were allegedly provided to a third party who used the names, Social Security numbers, and dates of birth for tax refund fraud.." - PHIprivacy.net
As often happens, federal law enforcement was the first to uncover the data breach at this healthcare organization. Organizations that want to proactively detect breaches of protected health information can now utilize low-cost on-demand SaaS data analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) 21st Century Oncology employee stole patient information for tax refund fraud scheme – feds - 09/24/2013

Friday, September 27, 2013

Hospital has Second Breach from Employee Snooping

Nearly 10,000 patients have been notified that their records may have been inappropriately accessed from November 2011 to August 2013 by a former employee of a Ft Lauderdale hospital. The data accessed, possibly for tax fraud, included patient names, dates of birth, addresses and Social Security numbers.

This is the second breach for this hospital, according to the Department of Health and Human Services (HHS). In 2010, a hospital employees stole Social Security numbers and protected health information (PHI) causing 44,000 patients to be notified of a potential breach of their PHI.

"This is the second breach for this hospital, according to the Department of Health and Human Services. In 2010, a hospital employees stole Social Security numbers and protected health information (PHI) causing 44,000 patients to be notified of a potential breach of their PHI." - Healthcare IT News
It is unclear how the hospital learned of this most recent breach and why the inappropriate access had been going on for almost two years. Healthcare organizations seeking proactive detection of PHI breaches can now utilize low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Second big breach for Florida hospital after employee snooping - www.HealthcareITnews.com, 09/26/2013

Thursday, September 26, 2013

Survey: Law Firms Committed to HIPAA Privacy

In January 2013, the U.S. Department of Health and Human Services (HHS) announced that law firms that act as Business Associates, or interact with protected health information (PHI), are directly liable for compliance with the HIPAA Security Rule and Privacy Rule.

These rules mandate that access to and use of PHI must be restricted to a "minimum necessary" standard, with access restrictions documented and verified using activity monitoring technology. Formal enforcement began September 23, 2013.

Information from over 70 law firms was used to compile The 2013 HIPAA Law Firm Risk Survey, which focused on risk management policies, practices and priorities, collected information from over 70 law firms. Issues including compliance tracking and verification were examined.

"Firms are actively pursuing compliance with new HIPAA regulations, ...including undertaking internal assessments...and adopting security and monitoring controls." - 2013 HIPAA Law Firm Risk Study
The survey found law firms are pursuing compliance with the HIPAA Omnibus Rule. In addition to reviewing policies and procedures firms are establishing activity monitoring reporting. For such monitoring reporting, to ensure "minimum necessary" PHI access, organizations can utilize low-cost on-demand SaaS analytics services.
Download a white paper on data privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Law Firm HIPAA Survey Highlights Industry Commitment to Compliance with New Privacy and Security Rules Now in Effect - www.HispanicBusiness.com, 09/23/2013

Wednesday, September 25, 2013

ONC: CEOs Should be Privacy Leaders

Healthcare CEOs and other top executives should set the tone for a culture of privacy in their organizations according to Joy Pritts, chief privacy officer at the Office of the National Coordinator (ONC) for Health IT.

Pritts says there is still a culture that privacy and security are barriers to providing healthcare but that the ONC sees privacy and security as being facilitators.

"When the message from the top is that privacy and security is good for the patient, and good for the business [then] we will see more of an attitude that these are things organizations should be doing willingly ...."
- Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT.
During an Information Security Media Group interview at the HIMSS Privacy and Security Forum in Boston, Pritts discussed a number of issues including the need for detailed risk analysis, a critical privacy and security requirement for the upcoming Stage 2 of the HITECH Act.

Healthcare organizations who are making patient privacy a priority are utilizing low-cost on-demand SaaS Analytics to proactively detect data breaches and ensure even authorized users are not inappropriately accessing patient information.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) CEOs as Privacy Leaders - www.healthcareInfoSecurity.com,09/26/2013

Tuesday, September 24, 2013

Tougher HIPAA Rules Take Effect

As of September 23, 2013, the more-stringent-than-ever HIPAA Omnibus Rule is in effect.

The new rule will bring more hefty fines, more audits and added enforcement pertaining patients’ protected health information according to Leon Rodriguez, Director of the Office for Civil Rights (OCR). While the official and permanent audit program is not fully established, breach investigations are being conducted.

"Fines imposed on organizations that grossly violate HIPAA privacy and security rules are now on the upward trend." - Leon Rodriguez, Director, Office for Civil Rights, U.S. Department of Health & Human Services
Mr. Rodriguez stressed the need for covered entities (CE) as well as business associates (BA) "to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis."

A comprehensive risk analysis includes ensuring healthcare workers only have access to the information needed to perform their job, as well ensuring that workers are not inappropriately accessing patient information. This can now be accomplished proactively with low-cost, on-demand SaaS analytics services, rather than requiring purchasing hardware and software and burdening IT and other staff.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Ready or Not: HIPAA Gets Tougher Today - www.HealthcareITnews.com, 09/23/13

Friday, September 20, 2013

Data Breach Class Action Lawsuits Settling Southern District FL

Al Saikali, an attorney with Shook, Hardy and Bacon, notes that "plaintiffs in data breach lawsuits have had a difficult time surviving motions to dismiss and for summary judgement."

However, two federal class action data breach lawsuits have resulted in proposed settlements; both suits are pending in the Southern District of Florida. Mr. Saikali says this raises the question of "whether the plaintiff’s bar will perceive the Southern District of Florida as a Plaintiff-friendly jurisdiction for data breach lawsuits, resulting in even more lawsuits being filed there."

"These settlements are significant because they are two of the only publicly known settlements in class action lawsuits arising from data breaches, and they both occurred in the same court – the Southern District of Florida. Given the lack of the number of data breach lawsuits that have proceeded to a public settlement, it will be interesting to see whether more of these lawsuits will be filed in the Southern District of Florida as a result of these recent developments.."
-Al Salkali, Attorney,Shook, Hardy & Bacon, LLP
Organizations in a variety of industries that handle personally identifiable information (PII) and/or patient health information (PHI) are taking steps to proactively detect data breaches before they lead to lawsuits. One such approach utilizes low-cost on-demand SaaS analytics services.
Download a white paper on data breach detection. Learn how to proactively identify unauthorized breaches of data, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Data Breach Lawsuits Settling in the Southern District of Florida - www.DataSecurityLawJournal.com, 09/11/2011

Thursday, September 19, 2013

Health IT Likely Subject to FDA Regulation

On September 4, 2013, subgroup members of the National Coordinator for Health IT HIT Policy Committee discussed the Health IT most likely to be subject to Food and Drug Administration (FDA) regulation.

Technology likely to be in the risk-based framework being developed include electronic health records (EHRs) and health information exchange (HIE) software.

"National Coordinator for Health IT's HIT Policy Committee, members of a subgroup discussed the health IT likely to be subject to Food and Drug Administration regulation in the near future."
- Becker Hospital Review
Both EHRs and HIEs are at risk for patient privacy data breaches. To proactively detect such breaches, healthcare organizations are utilizing low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) The Health IT Most Likely to be Subjected to FDA Regulation - www.BeckersHospitalReview.com, 09/05/2013

Wednesday, September 18, 2013

AHLA/HCCA Fraud & Compliance Forum, 9/29-10/1, Baltimore

The American Health Lawyers Association (AHLA) and the Health Care Compliance Association (HCCO) are co-sponsoring a Fraud & Compliance Forum 9/29-10/1 in Baltimore. Presentations have been designed for compliance officers and health attorneys who must advise their clients and institutions on the latest developments in fraud and abuse and compliance issues.

One such issue is how to stop a privacy breach from becoming a wrongful termination suit. A typical scenario is that an employee sues for wrongful termination after being fired for looking at a patent's records without a work related reason. The employee claims selective enforcement and claims other have snooped on patients and not been terminated.

How does an organization quickly obtain conclusive evidence that disproves a wrongful termination, allowing you to settle the suit on your terms? By utilizing low-cost on-demand analytics services.

"Q: How does an organization quickly obtain conclusive evidence that disproves a wrongful termination, allowing you to settle the suit on your terms?
A: By utilizing low-cost on-demand analytics services
."
Discuss this and other compliance issues with Veriphyr at booth #8. Can't attend? Please call 1-800-406-9567 for an appointment to discuss your compliance needs.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) AHLA/HCCA Fraud & Compliance Forum - www.healthlawyers.org, 09/15/2013

Tuesday, September 17, 2013

California Expands Confidentiality to Personal Health Records

California is leading the way in protecting health information. The Governor, Jerry Brown, signed AB 658 into law on September 9, 2013.

The amendment brings personal health records - including commercial vendors and businesses offering mobile health care applications – under the California Confidentiality of Medical Information Act (CMIA), even though it does not make vendors or businesses healthcare providers.

"The amendment brings personal health records - including commercial vendors and businesses offering mobile health care applications – under the California Confidentiality of Medical Information Act (CMIA), even though it does not make vendors or businesses healthcare providers." - PHIprivacy.net
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) California expands medical confidentiality protection to personal health records - PHIprivacy.net, 09/14/2013

Monday, September 16, 2013

National Health IT Week

September 16-20 has been designated National Health IT Week by the Health and Human Services (HHS) Office for Coordinator for Health Information Technology (ONC).

Health IT Week will highlight the path to Interoperability, which depends on five elements: "adoption and optimization of electronic health records (EHRs) and health information exchange (HIE) services, standards, financial and clinical incentives, privacy and security, and rules of engagement."

"National Health IT Week raises awareness of Health Information Technology’s power to improve the health and health care of patients all across the nation, and at lower cost."
- HHS Office for Coordinator for Health Information Technology
Privacy and security will be addressed in a Tuesday, 9/17, webinar during which policy chief Jodi Daniel will update HIE governance activities.

To build trust among HIE participants, low-cost on-demand SaaS analytics services are being utilized for access governance as well as proactively detect patient data privacy breaches.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) National Health IT Week - www.nationalhealth.org, 09/13/2013

Friday, September 13, 2013

Survey: 19% Increase in Medical Identity Theft

The 2013 Survey on Medical Identity Theft, conducted by Ponemon Institute, and sponsored by the Medical Identity Fraud Alliance, found a 19% increase in medical identity theft victims since last year.

It is estimated about 1.84 million will be affected in 2013, with "these victims handing over more that $12 billion in out-of-pocket costs and paying, on average, $18,660" according to the survey.

"One of the more serious aspects of medical identity theft, unlike traditional financial identity theft crime, is that in the extreme, this could lead to your death."
- Larry Ponemon, Ponemon Institute
The survey concluded consumers need to take steps to protect their personal information. Healthcare and other organizations that hold peoples' medical information are also taking steps to protect against medical identity theft. These steps include the use of low-cost on-demand SaaS analytics services to proactively detect data breaches rather than learn of theft from third parties such as patients or law enforcement.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Medical Identity Theft Hits Growth Phase - HealthcareITnews.com, 09/12/2013

Wednesday, September 11, 2013

South Africa Approves Personal Data Protection Legislation

The South African Parliament passed the Protection of Personal Information (PoPI) Bill on August 22, 2013.

This is South Africa's first comprehensive data protection legislation. Compliance would be required within one year of the law taking effect, but the Information Protection Regulator may extend this transitional period to up to three years.

"PoPI incorporates several data protection “conditions,” including accountability, transparency, and limitations on processing of personal data tied to data subject consent, data collection minimization, and purpose specification."
- Bloomberg BNA
Download a white paper on data breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) South Africa Passes Comprehensive Personal Data Protection Legislation - www.huntonprivacy.com, 08/30/2013

Tuesday, September 10, 2013

Employee Steals $800M in Trade Secrets

A former employee was charged with stealing $800 million in trade secrets from American Superconductor Corp (AMSC); the charges were brought by the US Department of Justice (DoJ).

FBI Executive Assistant Director Richard McFeeley said this case is a classic example of the growing insider threat facing our nation's corporations and their intellectual property.

"The Sinovel case is a classic example of the growing insider threat facing our nation's corporations and their intellectual property."
- FBI Executive Assistant Director Richard McFeely
Download a white paper on data theft detection. Learn how to proactively identify unauthorized breaches of data, even by authorized users - with no hardware and no on-site software.
Sources:
(a) US Charges Chinese Wind Company with Stealing Trade Secrets - Reuters, 06/27/2013

Study: Patients Withhold Data Over Privacy Concerns

Privacy and security concerns have led nearly one in eight patients to withhold information from a healthcare provider, according to a study published in the Journal of American Medical Informatics Association.

The study assessed the perceptions and behaviors about the security of their protected health information (PHI) by focusing on people's views about their individually identifiable medical records as defined under the Health Insurance Portability and Accountability Act (HIPAA).

James Pyles, a privacy attorney, said these results are consistent with 1999 and 2005 studies by the California HealthCare Foundation in which 13% of respondents practiced some form of "privacy protective barriers."

"The study underscores the need for enhanced measures to secure patients' [personal health information] to avoid undermining their trust."
- Harvard School of Public Health, Researcher, Israel Agaku
The lead author, Israel Agaku, a researcher at Harvard School of Public Health, said the study underscores the need to avoid undermining patients' trust about the privacy of their personal data. Healthcare organizations can build patient trust about the privacy of their personal information by utilizing low-cost on-demand SaaS analytics to proactively detect data breaches.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Study: Patients Withhold Health Data Because of Privacy Concerns - iHealthBeat.org, 09/09/2013

Monday, September 9, 2013

WSJ: Execs Concerned about Compliance

A Wall Street Journal (WSJ) interview with Roy Snell, CEO of the Society of Compliance and Ethics, highlights the increased concern of top executives about compliance.

Snell discusses how the industry has evolved, future trends and where and how to develop the people needed to fill the growing number of jobs. The 12,000 member SCCE has a subgroup, the Health Care Compliance Association, formed to address rapid growth of compliance programs in that industry.

"Enron, Tyco, Penn State show us we don’t have a problem finding the problems and understanding the law, we have a problem following the law.."
- Roy Snell, CEO, The Society of Compliance and Ethics
Mr. Snell notes the risk areas that compliance programs cover "are broadening to all risk areas." "The compliance officer has been given more authority, accountability and responsibility."

In healthcare, to comply with regulations addressing patient privacy and user access compliance, organizations can utilize low-cost on-demand SaaS analytics for proactive breach detection and access attestation.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Q&A: Roy Snell, CEO, Society of Compliance and Ethics - WSJ, 09/95/2013

Friday, September 6, 2013

Would you know if employees took patient records-NSA doesn't

border="0" Bruce Schneier of "Schneier on Security" asks "How many leakers came before Snowden?

Is it likely Snowden was the first to take gigabytes of classified documents from the NSA, or just the first to release documents to the public?

Healthcare organizations should ask "Would they know if an employee took patient records" or do they wait until law enforcement or a disgruntled patient brings a breach to their attention. Organizations can proactively detect data privacy breaches with low-cost on-demand SaaS analytics, rather than learn of breaches from others.

"How many leakers came before Snowden."
- Bruce Schneier, Schneier on Security
Download a white paper on data breach detection. Learn how to proactively identify unauthorized breaches of data, even by authorized users - with no hardware and no on-site software.
Sources:
(a) How Many Leakers Before Snowden - www.schneierOnSecurity, 08/29/2013

Thursday, September 5, 2013

Nurse Sentenced in Patient Identity Theft, Tax Fraud

In a previous blog we reported a Georgia home healthcare nurse who stole her patients' identities and filed fraudulent tax returns.

On August 23,2013, Melody Milton, who pleaded guilty to embezzlement of government property and aggravated identity theft, was sentenced to 70 months imprisonment and ordered to pay S110,431 in restitution to the Internal Revenue Service.

"While she should have been caring for her patients, Ms. Milton was stealing their identities and using them to steal from the U.S. Treasury."
- United States Attorney, Michael Moore
This was another case where a healthcare organization was unaware of the ongoing insider privacy breach until they were notified by law enforcement. It is not known if this organization will detect future breaches of privacy by insiders. For proactive privacy breach detection healthcare organizations can now utilize low-cost on-demand SaaS analytics.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) SOURCE_TITLE - SOURCE_NAME_AND_DATE

Wednesday, September 4, 2013

Report: Health IT Spending $34.5B in 2014

To comply with regulatory requirements, health IT spending is predicted to be $34.5 billion in 2014.

The Technology Business "SourceIT Healthcare Report" was based on interviews with health IT executives and line-of-business managers to determine spending intentions, priorities and perceptions.

"The wide variety of regulatory mandates and changes coming into force in the near term in the U.S. magnifies the pressure on healthcare providers, commercial payers and public sector agencies to maximize the value and ROI of their IT spending to meet these requirements." - Joseph Walent, Healthcare Analyst, Technology Business Report
The researchers found that a major area for spending will be business intelligence and analytics. Many healthcare organizations are now utilizing low-cost on-demand SaaS analytics services to deliver insights about business, outcomes, and quality.
Learn how Veriphyr Identity and Access Intelligence delivers business insights - with no hardware and no on-site software.
Sources:
(a) Health IT Spending To Hit $34.5B in 2014, Report Finds - iHealthBeat.org, 09/03/2013

Wear Jeans. Help Kids. Miracle Jeans Day, Sept 18. 2013

Children’s Miracle Network Hospitals
Children’s Miracle Network Hospitals is a charity that raises funds for more than 170 children's hospitals. Donations to Children’s Miracle Network Hospitals are used to provide charitable care, purchase life-saving equipment, and fund research and education programs that save and improve the lives of 17 million children each year.

Why Veriphyr Supports Children’s Miracle Network Hospitals
Like our customers, Veriphyr is committed to doing the right thing for our customers and communities. Veriphyr gives back to the communities by contributing a part of each sale to the Children’s Miracle Network Hospitals in the customer's community as well as donating our proactive privacy breach detection SaaS analytics service to CMNH hospitals.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Miracle Jeans Day - www.MiracleJeansDay.com, 09/04/2013

Tuesday, September 3, 2013

FTC: Lab Failed to Protect Patient Data

In a patient privacy complaint, the Federal Trade Commission (FTC) alleges that a cancer detection lab failed to protect the personal information of over 9,000 patients.

According to Jessica Rich, Director FTC's Consumer Protection, unauthorized exposure of consumers’ personal data puts them at risk for identity theft and other unauthorized use.

"The lab "Did not use readily available measures to prevent and detect unauthorized access to personal information." - Federal Trade Commission
In particular, the FTC claims the lab "Did not use readily available measures to prevent and detect unauthorized access to personal information." One readily available method to detect unauthorized access, even by authorized users, is low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) FTC files LabMD patient privacy complaint; LabMD responds - HealthITsecurity.com, 08/30/2013

Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.