Monday, June 30, 2014

Class Action in Hospital Insider Privacy Breach?

A lawsuit, seeking class action status, filed against a Toronto hospital is seeking damages of upwards of $300 million for breaches alleged to have happened between 2009 and 2013.

The plaintiffs claim two hospital employees sold the personal information of thousands of new mothers and their babies to an investment firm.

"The two employees...are alleged to have been paid in exchange for the information of more than 8,300 patients, most of them new mothers who gave birth and their families ."
- CTV News Toronto
It is unclear how the breaches went undetected for four years. Healthcare organizations seeking proactive detection of privacy data breaches and identity theft can utilize low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Toronto hospital faces class-action lawsuit over privacy breach Read more: http://toronto.ctvnews.ca/toronto-hospital-faces-class-action-lawsuit-over-privacy-breach-1.1886214#ixzz367lPYLo2 - www.CTVnews.ca, 06/25/2014

Friday, June 27, 2014

Insider ID Theft for Tax Refund Fraud at Community Org

An Oregon community support and employment access organization reported “unauthorized access/disclosure” of clients' personal information.

This breach resulted in notifications to 17,914 clients and was listed by the Department of Health and Human Services as beginning March 23, 2010 and ending May 24, 2013.

"...this was a case of insider theft for tax refund fraud, and that after [the organization] was notified of the breach by law enforcement, they prudently notified everyone whose records the employee would have been able to access." - PHIprivacy.net
The organization learned of the ID theft from law enforcement; it is unclear why the breaches occurred for over three years. Organizations seeking to proactively detect data privacy breaches and identity theft, rather than learn of them from third parties, can utilize low-cost on-demand SaaS analytics services. >
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy and identity theft, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Central City Concern notifies employment access clients of data theft by former employee - www.PHIprivacy.net, 06/26/2014

Thursday, June 26, 2014

HHS Investigating Patient Privacy Breach on Facebook

The Department of Health & Human Services (HHS) has started an investigation into HIPAA privacy violations at a Cincinnati healthcare provider, according to an HHS spokesperson.

The probe stems from a hospital employee inappropriately accessing billing records of a patient with a sexually transmitted disease and sharing them with someone who deliberately and maliciously published those records on Facebook (FB), taunting and ridiculing the patient.

"A screen shot of the patient’s name and her diagnosis of syphilis was posted to the closed-member Facebook group “Team No Hoes”. An email with the screen shot was also sent to members of the group. ."
- Cincinnati Enquirer
Healthcare organizations seeking to proactively detect data privacy breaches, even when done via a mobile phone screen shot, can utilize low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Feds begin HIPAA probe in Cincinnati - www.HealthcareITnews.com, 06/24/2014

Wednesday, June 25, 2014

WV: Actual Damages Not Necessary for Privacy Breach Class Action

The West Virginia Supreme Court determined that a violation of the patient's right to privacy alone was enough to bring a class action suit; the plaintiffs need not prove actual damages.

The court decided a case that on behalf of thousands of patients requesting class certification to sue a medical center for breaching their privacy rights.

"The dreaded PHI data breach is every covered entity's bad dream, but the West Virginia Supreme Court just turned that bad dream into a nightmare."
- Michael Coco, attorney, Fox Rothschild
Healthcare organizations seeking proactive detection of data privacy breaches can utilize low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) United States: PHI Data Breaches Just Went From Bad Dream To Nightmare In West Virginia - www.Mondaq.com, 06/13/2014

Tuesday, June 24, 2014

$800,000 HIPAA Settlement for Privacy Rule Violation

An Indiana health system agreed to an $800,000 settlement involving "potential violations" of the HIPAA Privacy Rule as a result of an incident in June 2009.

The Department of Health and Human Services (HHS) announced the settlement in a press release.

"In addition to the $800,000 resolution amount, the settlement includes a corrective action plan requiring [them] to revise their policies and procedures, train staff, and provide an implementation report to OCR." - HHS press release
In addition to the $800,000 payment the healthcare organization must must develop a corrective action plan "to address deficiencies in its HIPAA compliance program," according to the HHS Office for Civil Rights (OCR).
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) $800,000 HIPAA settlement in medical records dumping case - www.hhs.gov, 06/23/2014

Monday, June 23, 2014

Radiologist Took Patient Billing Data Without Authorization

A radiologist, employed by a multi-specialty physician practice in New York, "accessed and acquired protected health information (PHI) from the practice's billing systems without authorization."

The data included patients' personal information, such as names, addresses, dates of birth, social security numbers, as well as insurance, diagnosis, and procedure codes.

"...as many as 97,000 files of current and former patients may have been [inappropriately] accessed."
- Breach notification letter to patients by multi-specialty physician practice.
The practice stated the breaches were discovered on or about April 24, 2014 but it is unclear how long they had been going on. Healthcare organizations seeking proactive detection of identity theft and breaches of patient privacy can utilize low-cost on-demand SaaS analytics services
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) NRAD Breach Notification Letter - www.nrad.com, 06/13/2014

Friday, June 20, 2014

HHS: 83% of Breaches Occurred at Health Provider

The Health and Human Services (HHS) breach report to Congress summarized breaches of unsecured protected health information (PHI) for 2011 and 2012.

Among the 10 key findings in the report: in 2012, 21,194 reported breaches affecting fewer than 500 individuals. Such data breaches affected a total of 165,135 individuals. Of these data breaches 83 percent took place at a healthcare provider and 17 percent took place at a health plan.

"Of data breaches affecting fewer than 500 individuals in 2012, 83 percent took place at a healthcare provider."
- US Department of Health and Human Services, Breach Report
Healthcare organizations seeking to proactively detect breaches of PHI can utilize low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) 10 Key Findings from HHS' Latest Data Breach Report - www.BeckersHospitalReview.com, 06/18/2014

Thursday, June 19, 2014

Expect Bigger HIPAA Fines

The Office for Civil Rights' (OCR) crackdown on HIPAA violations over the past year will "pale in comparison" to the next 12 months, according to an OCR attorney.

And fines aren’t the only things that are being stepped up. The OCR is promising increased audits, with more than 1,200 companies slated to be scrutinized. “Entities subject to HIPAA’s requirements need to be conscious of not only the planned aggressive punishment related to privacy breaches and security lapses, but also the OCR’s extensive audit strategy,” warns Jason Gavejian, a Jackson and Lewis attorney.

"Knowing what's in the pipeline, I suspect that [$4.8 million] will be low compared to what's coming up ."
- Jerome B. Meites, OCR chief regional counsel
Healthcare organizations seeking to avoid HIPAA fines are implementing and reviewing not only policy and procedures but are utilizing technology to proactively detect privacy data breaches. This technology is available as a low-cost on-demand SaaS analytics service.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) OCR attorney predicts spike in HIPAA fines - www.FierceHealthIT.com, 06/16/2014

Wednesday, June 18, 2014

Mobile Telco Contractors Stole Customer Data

An employee of a contractor to a mobile telecommunications company inappropriately accessed customer information, including dates of birth and Social Security numbers.

The telco believes the customers' personally identifiable information (PII) was used to "unlock" phones so that the devices could be activated with other telco providers.

"...employees of one of our service providers violated privacy and security by accessing your account...your social security number and possibly date of birth were viewed... ."
- Mobile telco notification to subscribers
TITLE
The notification letter states the insider data thefts occurred between April 9-21, 2014 but it is unclear how they were detected. Organizations seeking to proactively detect privacy data breaches and identity theft, even by authorized users, can utilize low-cost on-demand SaaS analytics services.
Download a white paper on privacy data breach and identity theft detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) AT&T Warns Customers About Data Breach - www.ThreatPost.com, 06/17/2014

Tuesday, June 17, 2014

1 in 10 Affected by Health Data Breaches

Since 2009 the Department of Health and Human Services (HHS) has received more than 116,000 breach reports involving records of less than 500 individuals and 1,026 reports of breaches involving 500 or more individuals.

Over 32,600 HIPAA complaint cases have been investigated, with more than 22,500 of them closing with corrective action, according to HHS Office for Civil Rights spokesperson Rachel Seeger.

"More than 116,000 breach reports involving records of fewer than 500 individuals through March 1, 2013."
- Health and Human Services (HHS)
Healthcare organizations seeking proactive detection of data privacy breaches or identity theft can utilize low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) One in 10 U.S. Residents Affected by Large Health Data Breaches - www.iHealthBeat.org, 06/16/2014

Monday, June 16, 2014

Employee of Home Improvment Retailer Stole Customer IDs

An IT department employee of a national retailer of home improvement and construction products and services stole customer identities and distributed 500 of them to a third party. In addition this employee inappropriately accessed the personal information of another 30,000 customer accounts.

The employee was fired and is being prosecuted. The retailer is reviewing access controls and all impacted individuals are being notified and offered a free year of credit monitoring services.

"The employee obtained and distributed to a third party the following account information...account holder name, address, phone number, date of birth, and the brand, primary account number and expiration date of the credit card used."
- Notification letter to the New Hampshire Attorney General
Reportedly the identity thefts took place between May 7-21, 2014 but it is unclear how the thefts were detected. Organizations seeking to proactively detect identity thefts and breaches of data privacy can utilize low-cost on-demand SaaS analytics services.
Download a white paper on identity theft and privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.

(a) Re: Notification of Potential Data Breach Pursuant to NH Rev. Stat. 359-C:20 - www.DOJ.NH.gov, 05/27/2014

Friday, June 13, 2014

Study: Significant Variations in Health Providers' EHR Use

Healthcare providers, even from the same practice, use electronic health records (EHRs) differently, which may effect quality and cost outcomes, according to a study int the Journal of the American Medical Informatics Association.

The researchers hypothesized that the effects of EHRs may depend on how they're used, not just on whether EHRs are available. 430,803 encounters of 99,649 patients by 112 physicians and nurse practitioners were analyzed.

"[The study] suggests that individual level measures of usage may add value to future research on quality and cost outcomes of EHR use ."
- Journal of the American Medical Informatics Association
The study found variability among practitioners was "high." "Clinicians developed personalized approaches to EHR use, such as how often they updated patient problem lists, when they would respond to clinical decision support alerts and whether the encounter was with a new or established patient. Even Meaningful Use objective metrics, which are more likely to be standardized, varied."

Healthcare organizations can utilize Identity and Access Intelligence (IAI) to improve quality and lower costs by measuring individual usage levels of EHRs. Such IAI is available as a low-cost on-demand SaaS analytics service.

Learn how Veriphyr Identity and Access Intelligence delivers insights about healthcare workers and patients - with no hardware and no on-site software.
Sources:
(a) Study Finds Significant Variations in Health Care Providers' EHR Use - iHealthBeat.org, 06/12/2014

Thursday, June 12, 2014

Employee Stole Patient Data for Competitor

An employee of a post-mastectomy products company stole customer information to use at her new job with a competitor.

Information on 2,365 patients was breached including contact information, Social Security Information, and order history.

"An employee took customer information to use at her new job with a competitor.." - Florida post-mastectomy products company
Unfortunately the Health and Human Services (HHS) announcement is unclear as to when the data theft occurred and when it was first discovered. Organizations seeking to protect proprietary information, as well their customers' privacy, from even authorized users, can utilize low-cost on-demand SaaS analytics.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Ladies First Choice Inc Reports Insider Theft of Customer Data - www.PHIprivacy.net, 05/31/2014

Wednesday, June 11, 2014

Target Appoints First CISO

Formerly an InfoSec leader at GM and GE, Brad Maiorino has been named Target's first CISO. This comes in the wake of a massive data breach at Target last year.

Maiorino will be responsible for Target's information security and technology risk strategy. He'll report to CIO Bod DeRodes, EVP and CIO, who joined Target in May 2014.

"Maiorino is widely recognized as one of the nation's top leaders in the complex, evolving areas of information security and risk." -Bod DeRhodes, CIO, Target
Identity theft is rampant in a number of industries and organizations are proactively detecting these thefts with low-cost on-demand SaaS analytics services.
Download a white paper on identity theft detection breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Target Names Its First CISO - www.HealthcareInfoSecurity, 06/10/2014

Tuesday, June 10, 2014

County Employees Targeted by Massive Identity Thefts

A massive data breach has affected hundreds of county employees in Florida, according to NBC news.

Employees' personal information is being used to file fraudulent unemployment claims and commit credit card fraud.

"It's exasperating trying to clear your name for something you didn't do -- my good name and my good credit."
- one of the identity theft victims, Farren Oglesby
It is unclear how the identity thefts, which may have started last, were discovered. Organizations seeking to proactively detect identity thefts and privacy data breaches can utilize low-cost on-demand SaaS analytics services.
Download a white paper on identity theft detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Massive Data Breach Affects Hundreds of Miami-Dade County Employees - www.NBCmiami.com, 06/06/2014

Monday, June 9, 2014

Drugstore Employee Stole Patient Identities

A Georgia employee of a national drugstore chain stole patient identities in March and April 2014, according to a notification letter sent to the Maryland's State Attorney General.

The stolen information, such as names, dates of birth and Social Security numbers, were given by the employee to a third party. The drugstore chain is notifying patients, setting up a hotline and providing a free year of credit monitoring.

"...an employee may have stolen certain certain personal information for some of our patients and provided that information to a third party."
- Drugstore chain's letter to Maryland State Attorney General
It is unclear how the identity thefts were discovered. Healthcare organizations seeking proactive identity theft detection can utilize low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Re: Information Security Incident Notification - www.OAG.State.MD.US, 05/27/2014

Friday, June 6, 2014

Snowden Anniversary and the Need for IAI

It has been one year since Edward Snowden’s public revelations of mass surveillance conducted by the U.S. National Security Agency and almost one year since Bradley Manning was sentenced to 35 years in prison for his role in WikiLeaks.

These high profile anniversaries make the time ripe to consider using Identity Access Intelligence (IAI) to detect insider data breaches, even those by authorized users.

These high profile anniversaries make the time ripe to consider using Identity Access Intelligence (IAI) to detect insider data breaches, even those by authorized users.
Rather than utilizing static rules that results in huge amounts of "problem activity," IAI applies clustering techniques that allow the data itself to reveal which activities are normal and which are threats as well as the very few instances of real data theft and data privacy violations. IAI is available as a low-cost on-demand SaaS service.
Download a white paper on data breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Interview with Edward Snowden - Swww.NBC.com, 06/06/2014

Thursday, June 5, 2014

Patient ID Theft Ring Leader Sentenced 10 Years

Jennifer Robinson organized a scheme to steal patient identities from a Central Florida medical facility. The stolen patient IDs were then used to file fraudulent income tax returns in the patients’ names, and to fraudulently obtain credit cards.

Numerous co-conspirators and co-defendants in this insider patient identity theft, tax and credit card fraud ring have been sentenced or are awaiting sentencing.

"The scheme involved stealing the identities of patients at a medical facility in central Florida. Those identities were then used to file fraudulent federal income tax returns in the patients’ names seeking fraudulent refunds, and obtaining fraudulent credit cards which were then used to make fraudulent purchases."
- US Attorney's Office, Southern District of Florida
It seems that in this case, as in most involving insider identity thefts from healthcare organizations, law enforcement discovered the data breach. Healthcare organizations seeking to proactively detect patient identity thefts can utilize low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Ringleader of Identity Theft Ring Sentenced to 121 Months in Prison - www.Justice.gov. 06/02/2014

Wednesday, June 4, 2014

HR Role in Data Security Increasing

While businesses often leave data security to their IT departments, HR is becoming more involved, according to attorney Daniel Schwartz, a partner at Shipman and Goodwin.

Schwartz outlined a number of steps to help companies prevent data theft. In addition to training programs, he recommends an audit to determine data breaches.

"Perform an audit to figure out where data leakages are coming from, focusing on both electronic information and personnel files that are in paper format. Also hiring a third party to find “holes” in the system."
- Daniel Schwartz, partner Shipman and Goodwin
He also suggests "hiring a third party to find "holes" in the system." To find such "holes" as well as detect data theft and breaches organizations can utilize low-cost on-demand SaaS analytics services.
Download a white paper on data theft detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Getting HR Involved in Data Security - www.CorpCounsel.com,06/02/2014

Tuesday, June 3, 2014

FL Hospital Employee Sentenced for ID Theft

A healthcare worker,Yvonne Marie Johnson, was sentenced to three years in prison for identity theft in connection with Operation Zig Zag, according to the State Attorney's Office.

Johnson, while an employee at a Florida hospital, stole patients' identities and gave the information to others who filed fraudulent tax returns and obtain fraudulent credit cards.

"Yvonne Marie Johnson was sentenced this week to three years in prison for identity theft." - Florida State Attorney General's Office
A credit union, not the hospital, alerted law enforcement to the identity thefts. Healthcare organizations seeking to proactively detect identity thefts and privacy breaches can utilize low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Jacksonville Woman Sentenced in Identity Theft Scheme - www.sao4th.com, 05/30/2014

Monday, June 2, 2014

D.C. Hospital Worker Pleads Guilty to ID Theft

Detrius Elliott pleaded guilty today to stealing numerous identities belonging to financial guarantors of patients at a Washington, D.C. hospital, as part of a large identity theft ring operating in the area.

Elliott admitted to stealing names, addresses, dates of birth, and Social Security numbers from the billing database of the Washington hospital where she was employed. Elliott provided the identities to co-conspirators, who used the identities to obtain fraudulent driver’s licenses and open instant lines of credit and rent vehicles under the victims’ names.

"Elliott admitted to stealing names, addresses, dates of birth, and Social Security numbers from the billing database of the Washington hospital where she worked."
- US Department of Justice, Eastern District of Virginia
It is unclear how the identity thefts were discovered; often law enforcement, rather than the healthcare organization, are the first to know about ID thefts. Organizations seeking to proactively detect identity theft and privacy data breaches can utilize low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Washington, D.C. Hospital Worker Pleads Guilty To Identity Theft - www.Justice.gov, 05/29/2014

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.