BITS: Top Fraud Threats to Banks

What's the top threat banks and their customers face in 2013? Nancy Guglielmo, VP, Fraud Reduction Program for BITS, shares her insights.

"The greatest challenges in the coming year are income tax fraud and identity theft. It's really amazing how much this type of fraud has grown in the last few years, and the IRS is really struggling with this issue, too. This is part of the reason we've seen an increase in identity theft, which I consider to be the No. 1 issue for fraud at this time."

"...income tax fraud and identity theft...the IRS is struggling with this issue, too. This is part of the reason we've seen an increase in identity theft, which I consider the No. 1 issue for fraud."
- Nancy Guglielmo, VP, Fraud Reduction Program, BITS

Ms. Guglielmo's views are consistent with recent reports of identity theft involving insiders who steal patient or customer information and use or sell it to file fraudulent tax returns.

Download a white paper on data privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) BITS on Top Fraud Threats to Banks - CUInfoSecurity.com, 03/15/2013

Share

Big Data and Privacy Debate

Many predict the next wave of computer innovation will be driven by technologies that "fly under the banner of Big Data — data including Web pages, browsing habits, sensor signals, smartphone location trails and genomic information, combined with clever software to make sense of it all."

"But the latest leaps in data collection are raising new concern about infringements on privacy..."

"We’re on the cusp of a golden age of medical science and care delivery. But a privacy backlash could cripple progress." - George C. Halvorson, CEO, Kaiser Permanente

Moving to electronic medical records has great potential to improve healthcare but only if people trust the privacy of their data. "Corporate executives and privacy experts agree that the best way forward combines new rules and technology tools" to protect data privacy.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Big Data Renews Privacy Debate - New York Times, 03/24/2013

Share

Multiple Data Privacy Breaches and ID Thefts in South FL

The IRS says identity theft affects many industries, not just hospitals. But according to HHS reports, health insurance companies have had breaches affecting millions of Floridians.

The south Miami case is the latest hospital ID theft to surface in South Florida. Since 2009, the Department of Health and Human Services has received reports that hundreds of thousands of patients have been affected by breaches at hospitals across South Florida.

The largest breaches include Memorial Healthcare System with 111,650 patients affected, the University of Miami Health System with 66,065 people, Mount Sinai Medical Center with 2,600 patients and Jackson Health System with 2,062 patients.

"The bad guys buy social security numbers from employees at hospitals and medical centers for up to $150 each."
- IRS Special Agent in Charge of Miami office, Tony Gonzalez

Last year, Memorial Healthcare System in Hollywood notified 9,500 patients that two employees were fired because they may have inappropriately accessed patients' personal information with the intent to process fraudulent tax returns.

Although as one hospital "reinforced the importance of the privacy and confidentiality of patients’ information with its staff and affiliated physicians’ employees,” technology for proactive privacy data breach detection should be utilized, so as not to learn of the problem from law enforcement agencies.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Hospital Identity Theft Found at Some South Florida Hospitals - Private Officer News Network, 03/22/2013

Share

Again, DJJ Database Inappropriately Accessed for Tax Fraud

A probation officer for the Florida Department of Juvenile Justice (DJJ), was arrested and charged with conspiring to defraud the federal government. He worked with at least two other people who filed tax returns claiming more than $1.6 million in fraudulent tax refunds. One of them was found in possession of information from at least 90 people under DJJ supervision.

What’s concerning about is that the officer was reportedly able to access juveniles’ information without being traced. And this was not the first time this has happened - in 2010, there was a similar case.

"This is not the first time we’ve seen the DJJ database misused for tax refund fraud scheme. One can reasonably ask why the agency didn’t harden its access controls and security after the first report and why this was able to happen again."
- Office of Inadequate Security

The DJJ maintains a database of current and former probationers but only recorded when someone accessed a specific probationer’s full report. The system, though, did not record when someone logged in and conducted a search.

Clearly, a proactive approach to detecting which data even authorized users are accessing is needed.

Download a white paper on data privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) FL Probation Officer Accused of Milking Records for Tax Fraud - Databreaches.net, 03/24/2013
(b) Probation Officer Accused of Milking Records for Data - Tampa Bay Online, 03/22/2013
(c) FL: Feds Say Clay Man Took IRS for Millions After State Computers Tapped - Databreaches.net, 09/2010

Share

Auditing Your Outside HIPAA Auditors

When an outside auditor needs access to your applications it can be particularly useful to assign each auditor a unique identifier (and associated password).

This makes your existing audit logs an "excellent database that can be used to identify the number of audits, auditors, previous activity, etc", according to Frank Ruelas, Principal at HIPAA College.

"We have built a very collegial relationship with many of those entities that are "frequent fliers" when it comes to auditing activity." - Frank Ruelas, Principal at HIPAA College

For example he has been able to "educate" the auditors' management on how their own auditors "may or may not have been able to make some of the conclusions they make in their final reports based on their access".

Veriphyr identity and access intelligence service makes it easy to compile reports on the auditors activity across all your applications. In a single report you can see what applications they accessed, what they did in the application, and which customers/patients and employees they looked at.

For more about this see:
Frank Ruelas posting on the Healthcare Compliance Associations (HCCA) bulletin board

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Frank Ruelas posting on the Healthcare Compliance Associations (HCCA) bulletin board - HCCANet - March 24, 2013

Share

HIPAA Breach Notification Guidance with Real Example

Looking for a good example comparing HHS guidance with a real-life breach notification?

Here is such an example using the recent case of a fire department and their billing company.

The billing company’s employee improperly accessed and disclosed patient account information as part of a scheme to file false federal tax return.

The example provide the actual text of the breach notification along with the direct quotes of the relevant section from the HHS Breach Notification Guidance and RFI (74 FR 19006)

For the example see: A closer look at a real-life HIPAA breach notification

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Share

Clerk Prosecuted: Accessed Ex-husband's Spouse's Medical Data

A former receptionist at a UK physician's office has been prosecuted by the Information Commissioner’s Office (ICO) for unlawfully obtaining sensitive medical information relating to her ex-husband’s new wife.

Marcia Phillips was found to have accessed the information on 15 separate occasions over a 16-month period while working as a receptionist at a medical practice. The breach became apparent after Phillips left her job and sent a text message to her ex-husband’s partner referring to highly sensitive medical information taken from her medical record.

"This case clearly shows the distress that can be caused when an individual uses a position of responsibility to illegally access sensitive personal information."
-Deputy Commissioner and Director of Data Protection, David Smith

It is important to ask why the breaches, which took place on multiple occasions over a long time period, were not detected proactively during regularly scheduled audits.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Medical Receptionist Prosecuted After Unlawfully Accessing Patient's Details - UK Information Commissioner's Office, 03/12/2013

Share

EHR Incentives Top $12 Billion

"With some healthcare providers now into their second year of meaningful use reporting, Medicare and Medicaid electronic health record payments were estimated at $12.3 billion paid to a total of 219,000 physicians and hospitals through February since the program’s inception."

"An estimated $12.3 billion has been paid to 219,000 physicians and hospitals since the program’s inception.."
- Healthcare IT News

The Centers for Medicare & Medicaid Services will post final figures for February later this month as it captures more complete data, said Robert Anthony, a specialist in CMS’ Office of eHealth Standards and Services.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) EHR Incentive PaymentsTop $12 Billion - Health IT News, 03/15/2013

Share

HHS/OCR Preparing Permanent Privacy & Security Audit Program

As the HHS Office of Civil Rights prepares for a permanent audit program to start during fiscal year 2014, it will conduct an on-line survey of the 115 random HIPAA privacy/security compliance audits of providers, payers and claims clearinghouses audited in 2012.

"...a permanent audit program to start during fiscal year 2014."
- Health Data Management

"The survey will cover pilot attitudes about the audit program, including document requests, communications received, on-site visits, and audit report findings and recommendations. It also will seek estimates of financial and time costs for responding to audit-related requests, the effect of the audit program on day-to-day business operations, and whether HIPAA compliance was improved because of the audit program."

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) HHS/OCR to Survey HIPAA Audit Pilot Sites to Prepare Permanent Program - Health IT Data Management, 03/18/2013
(b) Notice by HHS - Federal Register, 03/19/2013

Share

HIPAA Breach Affects 1,400 in Connecticut

A former employee of a Connecticut university hospital inappropriately accessed patient healthcare records.

According to a notice on the health center's website, information accessed included names, addresses, dates of birth, Social Security numbers and clinical data.

Fines by the OCR for such breaches are expected to continue.

"We have collected a total of over $50 million from our enforcement activity."
- Leon Rodriguez, OCR Director

Speaking on the HIPAA final rule at the 2013 HIMSS Annual Conference & Exhibition, OCR Director Leon Rodriguez told HIMSS13 attendees that some 65,000 breach reports have been filed with the OCR since 2009. "We are now at a point where we have collected a total of over $50 million from our enforcement activity,” said Rodriguez. With business associates now accountable in complying with the HIPAA Security Rule, Rodriguez expects that number to increase significantly."

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Connecticut HIPAA Breach Affects 1400 - Healthcare IT News, 03/14/2013

Share

Update: Insider Breaches Patient Data at Six Medical Practices

In an update to our earlier blog "Insider Breaches Patient Data at Six Medical Practices," Lawrence Melrose Medical Electronic Record Inc., in Melrose, Mass. will notify the Office for Civil Rights of a data breach after an employee improperly accessed the electronic medical records of some 200 patients across six different medical practices.

"...an employee improperly accessed the electronic medical records of some 200 patients across six different medical practices." - Health Care IT News

"According to Rick Pozniak, system director of marketing, communications and public affairs, Hallmark Health System, the employee who accessed these patient records without proper authorization has since had their employment terminated." It is unclear if the employee worked for one of the six practices or for LMMER/HHS.

"Patient information compromised includes patient names, Social Security numbers, health insurance data and clinical information." "Both the physician's practice and HHS deeply regret and apologize for any concern or inconvenience this situation may cause the patients," said Pozniak in an emailed statement. "We are in the process of reviewing the privacy and security of our electronic medical records system and making improvements to the security safeguards we currently employ."

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Insider Breaches Patient Data at Six Medical Practices - www.blog.veriphyr.com, 03/18/2013
(a) Hospital's EHR Company Sees HIPAA Breach - Healthcare IT News, 03/18/2013

Share

Insider Breaches Patient Data at Six Medical Practices

An employee of a medical practice improperly accessed the electronic medical records (EMRs) and patient registration information of patients at six medical practices in Melrose, Massachusetts.

A report of the breach was made to the New Hampshire Attorney General's office. The notification to the state did not include a copy of their notification letter to patients, so the full scope of information the employee accessed or why is unknown.

"...an employee of a medical practice improperly accessed the EMRs and patient registration information of patients at six medical practices...."
- PHIprivacy.net

"In response to the breach, the EMR firm says it is enhancing its privacy and security controls, consulting with professionals about implementing better access control monitoring, and re-training all employees. Affected patients are being offered credit protection and restoration services."

The letter does not indicate whether the employee has been referred to law enforcement for criminal charges."

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Massachusetts EMR Firm Reports Breach - PHIprivacy.net, 03/16/2013

Share

Settlement in Landmark HIPAA Breach

In the first HIPAA breach settlement involving less than 500 patients, the University of Idaho has agreed to pay the Department of Health and Human Services $50,000.

"This is the first HIPAA breach settlement involving less than 500 patients." - Shred Quick

This fine has sent a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding patients' health information (PHI). The University has taken extensive steps to improve their privacy and security program for patient data.

Veriphyr encrypts, in motion and at rest, all customer data, including PHI.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Settlement Reached in Landmark HIPAA Breach Case - www.ShredQuick.com, 03/12/2013

Share

Health IT Worker Shortage Eased by Service Providers

A PwC Health Research Institute study finds the health IT worker shortage is greater than previously thought.

"According to PwC, competition for talented HIT professionals has intensified as the industry works to meet new regulatory requirements and business goals. Organizations are discovering they must work with -- rather than independently of -- industry counterparts to achieve common goals for healthcare quality."

"Under pressure to meet requirements for electronic health records and avoid penalties, hospitals, physicians and other caregivers have the greatest need for IT specialists in the health sector."
-PwC Health Research Institute

"Nearly 80 percent of global healthcare CEOs surveyed expect to increase technology investments in 2013." - PwC Health Research Institute

"The challenge for healthcare is not just a shortage of people with technical skills. It's also a shortage of people with the skills to marry technological savvy with business strategy as healthcare becomes more connected, coordinated and accountable," said Daniel Garrett, principal and PwC's Health Information Technology practice leader. The benefits of HIT will not be realized until organizations can ensure information is unlocked and integrated in a way to best inform critical business and clinical decision-making."

Insurers and other organizations are offering providers technology-related services, especially in the area of analytics, to fill the gap IT staff shortages create.

Learn how Veriphyr Identity and Access Intelligence as a service delivers business insights - with no hardware and no on-site software.

Sources:
(a) Health IT Worker Shortage Looms - Healthcare IT News, 03/12/2013
c
(b) Solving the Talent Equation for Health IT - PwC, March 2013

Share

Healthcare IT Staff Scarce; Service Providers Can Fill Gap

"The war for talent is on," said Steven Bennett of Kirby Partners, a health IT recruiting firm. Bennett and his co-presenter, Timothy Stettheimer,Regional CIO, Ascension Health, presented survey findings at HIMMS 2013.

The survey, conducted specifically for the conference, included responses from 800 health IT professionals, including chief information officers, manager/directors and staff "without people-management responsibilities."

"'IT is critical to every single initiative at our institution' said one CIO, but 'We don't have the people to get things done,' said another."
- Timothy Stettheimer, Regional CIO, Ascension Health

"When asked if they would be open to new opportunities in the next 12 to 18 months, the survey found that 26% of the manager/directors said they were happy were they were, 48% said they were "keeping an eye open" for new opportunities, and 26% were actively seeking a new job. Of nonpersonnel-management staff, 36% said they were happy with their current job, but 42% were keeping an eye open and 22% were actively looking for greener pastures."

Such difficulties in finding quality healthcare IT staff has lead to the rise of various services that fulfill the needs of the business side of an organization without requiring more IT staff.

Download a white paper on patient privacy breach detection as a service. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Recruiter Describes 'war for talent' - Modern Healthcare, 03/07/2013

Share

Average Salary for Healthcare CIOs, IT Executives?

According to a recent report by the College of Health Information Managers, the average annual base salary for CIOs and other senior executives at multi-hospital systems is $254,054.

The average annual base salary for CIOs and senior IT executives was $243,229 at academic medical centers, $187,410 using a hospital/clinic model, $178,786 at community hospitals and $125,573 at critical access hospitals.

"The average annual base salary for CIOs and other senior IT executives at multi-hospital systems is $254,054."
- College of Healthcare Information Managers survey

The report is based on responses from 18% -- or 263 -- of CHIME's 1,450 members. The survey was conducted between December 2012 and January 2013.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) What is the Average Base Salary for CIOs, IT Executives by Health Care Facility Type? - iHealthBeat.org, 03/06/2013

(b) CHIME 2012 CIO Salary Survey Report - CHIME, 2013

Share

Alan F. Westin, Who Defined Right to Privacy, Dies

Before the computer age and web era, Alan F. Westin, transformed the privacy debate. He died last month at age 83.

"Through his work — notably his book “Privacy and Freedom,” published in 1967 and still a canonical text — Mr. Westin, an attorney and political scientist, was considered to have created, almost single-handedly, the modern field of privacy law. He testified frequently on the subject before Congress, spoke about it on television and radio and wrote about it for newspapers and magazines."

"He transformed the privacy debate by defining privacy as the ability to control how much about ourselves we reveal to others."
- Jeffrey Rosen, Professor and Legal Affairs Editor, The New Republic

"In recent years, Mr. Westin turned his attention to the Niagara of personal data loosed by Google, Facebook and their ilk. Trying to stem this tide was a hopeless task, and he knew it." “He recognized that the problems of protecting privacy are now so daunting that they can’t be dealt with by law alone, but require a mix of legal, social and technological solutions,” Mr. Rosen said.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Alan F. Westin, Scholar Who Defined Right to Privacy, Dies at 83 - NY Times, 2/22/13

Share

Hospital Employee Stole Patient Info for Tax Refund Fraud

A South Miami hospital employee inappropriately accessed 834 records and disclosed patients' information to individuals involved in filing fraudulent tax returns.

According to the hospital, the records, dated from June 2011 through February 2012, included patient names, dates of birth and Social Security numbers.

"The hospital says the wrongdoing came to light during a collaborative investigation...does that mean law enforcement informed them that they had a problem and then they looked and found it?." - PHIprivacy.net

As of 03/01/13, there’s no statement on the hospital's web page; as is often the case we need more information. Especially as to when the hospital first knew about the breach and what procedures they have in place, or are instituting, to proactively detect such inappropriate access by insiders.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

(a) South Miami Hospital Employee Stole Patients' Info for Tax Refund Fraud - PHIprivacy.net,03/01/2013
(b) South Miami Hospital Employee Accesses Patients' Records - Local10,03/01/2013

Share

K-12 Database Will Need Privacy Monitoring

While many see a new education database as a way to "personalize learning," others, including parents, the ACLU and PTA, are concerned about privacy of students' information.

Built to chart academic paths, it "already holds data on millions of children identified by name, address and sometimes social security number. Learning disabilities are documented, test scores recorded, attendance noted. In some cases, the database tracks student hobbies, career goals, attitudes toward school - even homework completion."

"If student records leak, are hacked or abused, what are the remedies for parents? It's very troubling." - Norman Siegel, Civil Liberties Attorney

"Federal officials say the database project complies with privacy laws. Schools do not need parental consent to share student records with any "school official" who has a "legitimate educational interest," according to the Department of Education. The department defines "school official" to include private companies hired by the school, so long as they use the data only for the purposes spelled out in their contracts."

If this is the case the database will need privacy monitoring to ensure that data is being shared ONLY with those who meet these criteria.

Download a white paper on student data privacy breach detection. Learn how to proactively identify unauthorized breaches of student data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) K-12 Student Database Jazzes Tech Startups, Spooks Parents - Reuters, 03/03/13
(b) Building a Student Data Infrastructure: Privacy, Transparency, and the Gates Foundation-Funded inBloom - HackEducation, 02/10/13
(c) inBloom - www.inbloom.org, 03/03/13

Share

a2a_config.linkname = "K-12 Database Will Need Privacy Monitoring"; a2a_config.linkurl = "http://blog.veriphyr.com/2013/03/k-12-database-will-need-privacy.html"; a2a_config.onclick = 1;

NEJM: Secure Patient Data

"The Office for Civil Rights has received more than 77,000 complaints regarding breaches of health information privacy and completed more than 27,000 investigations, which have resulted in more than 18,000 corrective actions."

"...breaches of health information security exact a weighty financial toll and endanger patients." - New England Journal of Medicine

"Beyond privacy concerns, breaches of health information security exact a weighty financial toll and endanger patients. Abuse of insurance identifiers drains money that would be better spent funding legitimate health care services."

"And identity breaches can deleteriously affect the quality of care. Incorrect information can infiltrate the beneficiary's medical record and corrupt later medical decision making. Beneficiaries have been wrongly labeled as diabetic or HIV-positive when people with those conditions obtained services using a beneficiary's medical identity."

"Health care providers should follow best practices to ensure that computer networks are more secure. As progress continues toward the development of a national infrastructure for electronic health information, security of electronic data becomes increasingly important."

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Protecting Patient Privacy and Data Security - New England Journal of Medicine, www.nejm.org, 2/27/13
(b) Avoid Medical ID Theft - Department of Health and Human Services, www.hhs.gov, 2/27/13
(c) Audit of Information Technology Security Included in Health Information Technology Standards - Department of Health and Human Services, www.hss.gov, May 2011

Share

HHS Expanding Privacy Enforcement Team

The HHS Office for Civil Rights is hiring health information privacy specialists on a fast-track, with the open period for applying closing on March 12.

"HHS is hiring health information privacy specialists on a fast-track, with the open period for applying closing on March 12."
- Health Data Management

OCR provides oversight, leadership, and coordination necessary to ensure that individuals have nondiscriminatory access to HHS services or programs and that the privacy and security of their health information is protected.

The Division of Health Information Privacy enforces the HIPAA Privacy and Security Rules and the confidentiality provisions of the Patient Safety and Quality Improvement Act.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

OCR is seeking experience in privacy and security compliance and enforcement as well as in the areas of policy, outreach, and health information technology systems.

These full time, permanent positions, located in Washington, D.C., are government services (GS) levels of 13 or 14 and pay $89,033 to $136,771 annually.

GS 13 qualifications include developing or improving programs to educate stakeholders about privacy and security requirements; GS 14 applicants must have experience providing oversight and coordination to process and resolve complaints and determine compliance with and enforcement of regulations. Sources:
(a) www.usajobs.gov - WWW.USAJOBS.GOV, 03/01/2013
(b) www.hhs.gov - WWW.HHS.GOV, 03/01/2013
(c) Want to Be a Privacy Cop? - Health Data Management, 03/01/2013

Share