What’s better than a chilly early spring dive into the North Sea of Health Data Insecurity?
Accenture’s report released in February calculated that 26 percent of Americans had experienced a health care-related data breach. 50 percent of those were victims of medical identity theft and had to pay out an average of $2,500 in additional cost. One-third (36 percent) believed the breach took place in hospitals, followed by urgent care and pharmacies (both 22 percent). How did they find out? Credit card and insurer statements were usual, with only one-third being notified by their provider. Interestingly, a scant 12 percent of data breach victims reported the breach to the organization holding their data. (You’d think they’d be screaming?) The samples were taken between November 2016 and January 2017. Accenture has similar surveys for UK, Australia, Singapore, Brazil, Norway, and Saudi Arabia. Release PDF of the US Digital Trust Report
So what’s 16 million breaches between friends? Or 4 million? Or 27 million?
- That is the number (well, 15.9 million and change) of healthcare/medical records breached in 2016 in 376 breaches reported by the Identity Theft Resource Center (ITRC), a Federally/privately supported non-profit. Healthcare, no surprise, is far in the lead with 34 percent and 44 percent respectively. The 272 pages of the 2016 End of Year Report will take more than a casual read, but much of its data is outside of healthcare.
- For a cross-reference, we look to the non-profit Privacy Rights Clearinghouse which for many years has been a go-to resource for researchers. PRC’s 2016 numbers are lower, substantially so in the number of records: 301 breaches and 4 million records.
- HIMSS and Healthcare IT News insist that ransomware is under-reported, but their count is large anyway. The HITN 20 March article reports from Protenus’ 2016 research that over 27 million healthcare records were stolen in 450 reported data breaches. 26.8 percent were attributed to ransomware, hacking or malware. This article also contains a lot of speculation by attorneys and other experts in the field that ransomware-related breaches are under-reported: “The reality is often after a ransomware incident, executives find out that criminals have been exploiting their network for years and going public with the information would force their board, executives and staff to answer some serious questions that they are not willing or prepared to answer,” according to ICIT Senior Fellow James Scott quoted in the article.
And don’t be late in your reporting! Presence Health had to pony up a $475,000 settlement with Health and Human Services’ (HHS) Office of Civil Rights earlier this year for a 22 Oct 2013 breach exposing the PHI of over 800 patients that went unreported until 31 Jan 2014. It violated the HHS 60-day rule by a little over a month. It is the first HIPAA monetary enforcement on a healthcare organization for untimely breach reporting, according to HHS. (See HITN above)
Oops! In the UK, the Information Commissioner’s Office (ICO) fined HCA International Ltd a hefty £200,000 for failure to keep its IVF patients’ information from the Lister Hospital secured. In April 2015, a patient found through online search unencrypted transcripts of patient records. The Indian company performing transcription work from 2009 stored audio files and transcripts on an unsecured server. And don’t look now–by May 2018 the ICO will be able to fine four percent of a company’s global turnover where a serious breach of data protection law has occurred.
The danger of the Internet of Things may not come from your microwave, but your talking teddy. For over a year, the makers of CloudPets left customer records in an un-firewalled, un-passworded MongoDB database. 800,000 emails and passwords were exposed, along with 2 million recorded messages for this internet-connected messaging toy. Hackers were targeting exposed MongoDB databases in January. The same article claims that the stuffed animals have such poor device security that they could be easily hacked and turned into spy devices. Is there nothing sacred? Motherboard Hat tip on ICO and this to former NI Editor Toni Bunting