Data breaches remain in the news–and the debate around how best to secure data rages.
Everything old is new again. UK website Computing reported that East Midlands Ambulance Service NHS Trust lost a data cartridge containing 42,000 records from its divisional headquarters in Nottingham. It was a small but deadly cartridge containing scanned handwritten copies of Patient Report Forms from September to November 2012. However, it can only be read on a now-obsolete cartridge reader, one of which is on the Trust’s premises. An interesting project for a ‘cracker’? Perhaps someone thought it was an old paperweight? Is this the virtue of old tech?
Wakey, wakey Hermann! Memorial Hermann Health System in Houston, Texas had an unauthorized employee nosing around patient records for seven years up to July, affecting at last count 10,604 patients. Compromised were health insurance information, Social Security (SSI) numbers, names, addresses and dates of birth (DOB). Obviously they weren’t firewalled and easy to access. No motive cited. According to HealthITSecurity, this person has been suspended, not fired. Also iHealthBeat.
Nothing to see here…move on. Breaking News. Healthcare.gov was breached in July by a hacker uploading malicious software to a server used to test code. No evidence that personal information was compromised. HHS maintains this was the first successful intrusion. We’ll see. MarketWatch (excerpt of WSJ paywalled story)
Is any system hackerproof? Reader Joanne Chiocchi cited this Editor’s first article on the massive CHS breach (from the reprint in HITECH Answers–thank you, Roberta Mullin) and posed this question on LinkedIn’s Ellen’s Ethical Lens group. 48 comments later, many from a ‘devil’s advocate’ dentist who doesn’t much like EHRs/EDRs: in his view, highly hackable, inaccurate and a time waster in completing just HIPAA privacy notices. There are plenty of sobering facts in the comments (all worth reading). The dentist points out voluminously that ignoring and covering up security and process problems will inevitably invite a practitioner and patient backlash. Hat tip to Joanne and Ellen Fink-Samnick.
And two more breaches that required no hacking whatsoever:
To live and steal data in LA. A Cedars-Sinai Health System laptop stolen in a home burglary had 500 patient records with primarily lab results and SSI numbers. iHealthBeat
The Vienna 1946 “Third Man” Award, Second Edition goes to The Hand Care Center/Shoulder and Elbow Institute and the Orthopaedic Specialty Institute Medical Group, both of Orange, California which stored 59,000 old x-rays containing patient records with Iron Mountain, supposedly securely. Two IM employees stole them and sold them to a recycler for the silver. Harry Lime Lives! Privacy Rights Clearinghouse 12 and 26 August
Recent data breach coverage: CHS data breach estimated price tag: $150 million, FBI ‘Flash Alerts’ health organizations about hacker attacks, The drip of data breaches now a flood: 4.5 million records hacked–update