VA Department data breaches soar (US)

October 14, 2013 | by

If after the Healthcare.gov debacle, there’s still any confidence that centralized Federal systems are secure and trustworthy, please read this HealthcareITNews tally of the multiple data breaches and HIPAA violations taking place at the US Department of Veterans Affairs (VA).

From 2010 through May 2013, VA department employees or contractors were responsible for 14,215 privacy breaches affecting more than 101,000 veterans across 167 VA facilities, including incidences of identity theft, stealing veteran prescriptions, Facebook posts concerning veterans’ body parts, and failing to encrypt data, a Pittsburgh Tribune-Review investigation revealed.

The two-month investigation by the Pittsburgh Tribune-Review published this weekend found that the VA led the way in HIPAA violations–17 in the past few years–for reasons centering on lack of accountability, shoddy safeguards, sloppiness in handling data and failure to encrypt data even after the 2006 theft of a laptop put records of 26.5 million veterans in danger. There are few firings, disciplinary actions or HHS fines.

This should put telehealth and telemedicine providers on notice that their encryption will have to be ‘stronger than the VA’, as both they and Department of Defense (DOD) are the single largest users of telehealth in the US.

Data insecurity in Obamacare insurance exchanges (US)

October 8, 2013 | by | 2 Comments
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”175″ /]The warning that should appear as the main page of 50 state health exchanges.

Subsumed under the ‘government shutdown’ (affecting in reality a distinct minority of Federal government employees) is the significant concern that the state-based online exchanges now selling individual insurance, effective 1 Jan 2014, much trumpeted under the Affordable Care Act and baked into it two years ago, already present significant vulnerabilities in securing the vital data of millions: Social Security number, date of birth, addresses, tax and earnings information. These state-based exchanges are also dependent on information from a Federal data ‘Hub’ which “acts as a conduit for exchanges to access the data from where they are originally stored.” (HHS Office of Inspector General report August 2013, page 2) If improperly secured, this opens up other Federal agencies to further upstream identity theft mayhem.

Already information is in the hands of thousands of call center staff and so-called ‘navigators’ who may or may not have gone through security verifications. Insurance customer information has already leaked outside of exchanges (see below). (more…)

Medical identity theft hits new highs

September 14, 2013 | by

August ended with the report of the second highest-ever identity breach traced to a healthcare provider–4 million patient names, addresses, dates of birth, Social Security numbers and clinical information, contained on four unencrypted Advocate Health System (Illinois) office computers. It was a ‘behemoth breach’ in Healthcare IT News‘ words and has led to the filing of a class-action lawsuit (Privacy Rights Clearinghouse). Now security consultant Ponemon Institute’s latest report, released yesterday, increases the breach anxiety level with its 2013 Survey on Medical Identity Theft: (more…)

FDA’s discouraging role in medical device security

August 8, 2013 | by

According to a Wall Street Journal report (unfortunately firewalled), hospitals are pointing a very long finger at medical device manufacturers for not updating software and leaving devices open to breaches. Yet the manufacturers readily cite FDA’s most recent guidance as prohibiting software updates and security patches without resubmitting their devices for approval–something a spokesperson for the FDA denies as long as the update is for cybersecurity only. If the draft guidance issued in June is actually finalized, it will go the distance in helping manufacturers and hospitals. Hospitals Say Device Manufacturers Resist Boosting Cybersecurity (iHealthBeat)