HHS Reports on Breaches of Unsecured Protected Health Information

Posted on January 22, 2012 by Colin J. Zick

In its recent Annual Report to Congress on Breaches of Unsecured Protected Health Information, the Office of Civil Rights of the Department of Health and Human Services, we see confirmation of certain trends-- bigger breaches and breaches involving theft of electronic media:

Between January 1, 2010 and December 31, 2010, breaches involving 500 or more individuals also made up less than one percent of reports, yet accounted for more than 99 percent of the more than 5.4 million individuals who were affected by a breach of their protected health information. The largest breaches in 2010, like 2009, occurred as a result of theft. However, in comparison to 2009, in 2010, the number of individuals affected by the loss of electronic media or paper records containing protected health information was greater than the number of individuals affected by unauthorized access or human error.

Tags: , , , , , , , , ,

"Once More Unto the Breach, Dear Friends, Once More": The Increasing Recognition of Complexity in Data Breach Response and Reporting

Posted on December 19, 2011 by Colin J. Zick

In an article in today's New York Times, we get some real-life insight into the difficulties in responding to a data breach.  Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity.

The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee's car was broken into and a company laptop stolen.  The ramifications included:

  • spending nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees;
  • devoting 600 person-hours of staff time to the breach;
  • hiring a crisis team of lawyers and customers and a chief security officer;
  • hiring a private investigator to scour local pawnshops and Craigslist for the stolen laptop; and
  • notifying some of the affected patients and offering them free credit monitoring.

The eHealth Collaborative's Executive Director, Micky Tripathi, first outlined the breach and critiques the article in his blog
 

Tags: , , , , , ,

Most Recent Sony Breach Illustrates the Cascading Effect of Data Breaches

Posted on October 14, 2011 by Colin J. Zick

 

By Michael V. Dowd

It was revealed recently that Sony’s on-line services were the subject of another significant attack. This incident, however, did not exploit a vulnerability in Sony’s security infrastructure so much as it highlighted the cascading effect of data breaches.

Rather than try to scale any fences or jimmy any windows, this attack used account holders’ own keys to open the front door. According to a statement by Sony, the attackers tested a “massive set” of log-in credentials, consisting of pairs of user IDs and passwords, against accounts on three of its networks. Even though the “overwhelming majority” of the log-in attempts failed, they successfully breached about 93,000 user accounts. This indicates that the attackers used stolen log-in credentials, and did not resort to brute force or dictionary attacks. 

How did the attackers obtain this trove of log-in information? Sony says it is “likely” they were stolen from elsewhere and not from its own networks, based on the low success rate. This may well be true, given the numerous incidents reported of late, some of which gave rise to our post referring to 2011 as The Year of the Breach

If that scenario holds, it highlights the secondary effects of data breaches, and the relationship among user accounts on different on-line services. It has long been known that individuals often reuse the same username and/or password across multiple on-line services. As a result, if any one of those services suffers a breach that exposes its log-in information, corresponding accounts on the other services become open to the attackers. It is very much a “weakest link” situation.

This risk was also raised in the immediate aftermath of the data breaches at Sony this past Spring. The company initially reported the loss of unencrypted account passwords, which could have had the same cascading effect on its users’ other accounts. Sony later stated that the passwords were in fact hashed. As we described at the time, “hashing” differs from “encryption,” but storing passwords in a hashed form can be an effective way to keep an attacker from seeing or using the plain-text passwords of account holders. Password hashing is a known security technique that apparently was not in place at the “weak link” among the on-line services shared by those 93,000 users.

Tags: , , , , , , , , , , , , , , ,

HIPAA Breaches Reported to OCR Near 300

Posted on July 11, 2011 by Colin J. Zick

When we last looked at OCR's reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265.  This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed.  Given that the last reported date of breach on the OCR's list is May 8, there are surely over 300 breaches that have now been reported.

Tags: , , , , , ,

Another Big HIPAA Settlement: The UCLA Health System Settles for $865,000

Posted on July 8, 2011 by Colin J. Zick

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules.  This follows on the heels of Massachusetts General Hospital's $1 million settlement with OCR.

The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without legitimate reasons looked at the electronic protected health information of these patients. OCR's subsequent investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.  

The corrective action plan requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years.  All in all, a very expensive proposition for UCLAHS.

Tags: , , , , , , , , , , ,

2011: The Year of the Breach

Posted on June 19, 2011 by Colin J. Zick

We are six months into 2011, and it seems destined to be “The Year of the Breach.”  In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:

·        Epsilon: breach of customer email addresses;

·        RSA: compromise of security tokens (possibly impacting Lockheed Martin);

·        Citigroup: breach of credit card numbers:

·        Sony: multiple thefts of customer data;

·        Sega: customer data theft; and

·        ADP: breach of its benefits-administration business.

What does this mean? First, there are simply more breaches to report. Second, companies are being more open about reporting breaches, both because they are legally required to and because such disclosures are expected by consumers and regulators. Third, these breaches and the resulting publicity will bring legal and corporate reactions. 

On a legal/regulatory level, we are even more likely to see federal data security legislation and stepped-up enforcement. On the corporate side, more and more resources are going to be poured into prevention of breaches. For corporate CIOs, it’s the best of times and the worst of times: they are getting access to more resources, but are facing more and different challenges.

Tags: , , , , , , , , , , , , ,

EU Chimes in on Sony Data Breach

Posted on May 4, 2011 by Colin J. Zick

The EU's Justice Commissioner has chimed in on the Sony data breach, stating that Sony must "take the relevant technical and organizational measures to guarantee protection against data loss or an unjustified access."

Tags: , , , ,

North Versus South: South Korea Accuses North Korea of Cyberattack

Posted on May 4, 2011 by Colin J. Zick

As we have noted in the past, there seems to be an ongoing cyber war between North and South Korea.  The latest salvo in that skirmish was apparently fired last month, in a April 12 cyberattack on Nonghyup Bank, which is alleged to have been orchestrated by North Korea.

Tags: , , ,

Sony Mega-Breach Spotlights Data "Security" Myths

Posted on May 2, 2011 by Colin J. Zick

By Michele A. Whitham

Sony’s unenviable status as the victim of the record theft of 77,000,000 individuals’ personal information underscores a reality that the on-line business community would like its army of customers to forget: it’s not just that the so-called “hackers” can be very good at what they do, it’s that the appointed guardians of legally protected personal information are not necessarily awake at the switch. Two weeks after this “illegal and unauthorized” intrusion -- which took place sometime between April 17 and April 19, there is still no confirmation that Sony’s PlayStation and its related service, Qriocity, had adequate (or any) security. 

There have been numerous suggestions that the PlayStation’s basic encryption of protected personal information was weak or non-existent. What other explanation could there be for Sony blogging to its customers that it might be able to restore “some services within a week” than an apparent mad scramble at Sony to create a secure platform for its popular on-line gaming services, or at best fix a platform that was demonstrably flawed? 

Sony’s public silence on the matter is troubling, yet it underscores the peculiar burden-shifting regime that seems to be emerging by default. While the plethora of statutes regulating the protection of sensitive personal data require hacked companies like Sony promptly to notify their customers and provide such benefits as credit monitoring services, there has been little action by enforcement authorities to regulate companies before a breach, in a manner that would require implementation of sophisticated, upfront securitization of the protected personal information companies collect and thereby avoid preventable breaches. 

As a result of this reactionary regulatory scheme, on-line businesses seem to be operating in a “buyer beware” world, where the burden of data security falls on the consumer. Since Sony’s data loss reportedly extends to the names, birthdates and purchase histories of the children of families whose credit card and account information may also have been comprised, it may be time for consumers to insist that more attention be paid by the regulators to ensuring the implementation of prophylactic, site security “best practices” and not just on rules for cleaning up the mess after it has happened.
Tags: , , , ,

Big HIPAA Breaches Now Number 265

Posted on May 2, 2011 by Colin J. Zick

When we last looked at OCR's reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR's website.  It's safe to expect these figures will continue to climb for the foreseeable future.

Tags: , , , , , ,

Health Net Announces Second Major Breach in Two Years; Creates Potential for Largest Ever Penalty

Posted on March 16, 2011 by Colin J. Zick

On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health informationAccording to California regulators, these servers appear to contain the data of 1.9 million people nationwide:

The company announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare.. 

Since this is the second incident in two years for the company (see "Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit"), it will be interesting to see what  kind of penalty Health Net could face from the federal government.  In that regard, consider that the loss of 192 records just cost Massachusetts General Hospital $1 million.  If a penalty in the same proportion were applied to this breach, Health Net could face a penalty of over $9 billion.

Tags: , , , , , , , , ,

Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy

Posted on March 2, 2011 by Colin J. Zick

My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape:  How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including:

Tags: , , , , , , , ,

500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR

Posted on February 21, 2011 by Colin J. Zick

In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged:  the Office of Civil Rights does not have the resources to review all reported breaches of health information.  In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:

Current OCR practice is to validate, post to the HHS website, and
subsequently investigate all breach reports that impacted more than 500 individuals.
Breach reports that impacted fewer than 500 individuals are compiled for future reporting
to Congress; however they are treated as discretionary and only investigated if resources
permit.

While this prioritization makes a certain amount of sense, it leaves the vast majority of breaches unreviewed.  According to that same budget report, "[a]s of September 30, 2010, OCR has received a total of 9,300 breach reports (191 impact more than 500 individuals and 9,109 impact less than 500 individuals)."  That's a mere 2% of all breaches that have OCR's full attention.  The takeaway from this is to count your breaches carefully before reporting, as there seems to be a real benefit to being able to report an impact on less than 500 individuals.

Tags: , , , , , , , , , , ,

Apparent HIPAA Violations in Hospital Treating Tucson Shooting Victims

Posted on January 16, 2011 by Colin J. Zick

As so often happens following a hospital's involvement in a high profile event, the Tucson hospital treating the victims of the recent shooting is reported to have fired several staff, presumably for looking at patient records they should not have looked at:

Katie Riley, the Director of Media Relations in the Office of Public Affairs at the
Arizona Health Sciences Center said in a statement:

"University Medical Center takes the privacy of all patients very seriously.  The hospital has terminated three clinical support staff members this week for inappropriately accessing confidential electronic medical records, in accordance with UMC's zero tolerance policy on patient privacy violations.

"A contracted nurse also was terminated by the nurse's employer.  We are not aware of any confidential patient information being released publicly.

"The families of all patients whose information was accessed have been notified. Any potential breaches of patient privacy by UMC staff will be investigated and appropriately addressed."

The lesson, of course, is that curious people are all around us and many of them are looking for data they have no right to see.  Our information systems have to be designed to guard against them.

Tags: , , , , ,

California Department of Public Health Issues Privacy Breach Fines to 8 Health Care Facilities

Posted on November 27, 2010 by Colin J. Zick
On November 19, the California Department of Public Health (CDPH) announced that eight health care facilities (mostly hospitals) have been assessed administrative penalties and fines totaling $792,500 after a determination that the facilities failed to prevent unauthorized access to confidential patient medical information.

The fines ranged from a low of $5,000 to a high of $250,000:

1. Biggs Gridley Memorial Hospital, Gridley, Butte County: The hospital was assessed a $5,000 fine after the facility failed to prevent unauthorized access of one patient’s medical information by two employees on three occasions.

2. Children’s Hospital of Orange, Orange, Orange County: The hospital was assessed a $25,000 fine after the facility failed to prevent unauthorized access of one patient’s medical information by one employee.

3. Delano Regional Medical Center, Delano, Kern County: The hospital was assessed a $60,000 fine after the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by one employee on three occasions.

4. Kaweah Manor Convalescent Hospital, Visalia, Tulare County: The nursing home was assessed a $125,000 fine after the facility failed to prevent unauthorized access and use of five patients’ medical information by one employee.

5. Kern Medical Center, Bakersfield, Kern County: The hospital was assessed a $60,000 fine after the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.

6. Kern Medical Center, Bakersfield, Kern County: The hospital was assessed a $250,000 fine after the facility failed to prevent the theft of 596 patients’ medical information.

7. Oroville Hospital, Oroville, Butte County: The hospital was assessed a $42,500 fine after the facility failed to prevent unauthorized disclosure of one patient’s medical information by one employee on two occasions.

8. Pacific Hospital of Long Beach, Long Beach, Los Angeles County The hospital was assessed a $225,000 fine after the facility failed to prevent unauthorized access and use of nine patients’ medical information by one employee.

CDPH has assessed the penalties to these facilities under new legislation intended to protect the confidentiality of medical records. CDPH has determined that the hospitals failed to prevent unauthorized access to patient medical information, as required by Section 1280.15 of the Health and Safety Code. The penalties on this release are the first of their kind issued to each of these facilities.

An administrative penalty of $25,000 may be assessed against a medical facility for the breach of each patient’s medical information. A penalty of up to $17,500 is added for each subsequent breach of each patient’s medical information.
 

Facilities are required to submit a plan of correction to CDPH within 10 working days and implement a plan of correction to prevent future incidents. Facilities can appeal an administrative penalty by requesting a hearing within 10 calendar days of notification. If a hearing is requested, the penalties are to be paid if upheld following appeal.

All hospitals in California are required to be in compliance with applicable state and federal laws and regulations governing general acute care hospitals. The hospitals are required to comply with these standards to ensure quality of care.

In 2008, Governor Arnold Schwarzenegger signed legislation, SB 541 and AB 211, to improve patient privacy laws and to address breaches of confidential information.

SB 541 by Senator Elaine Alquist (D-Santa Clara) sets health facility fines for privacy breaches and increases the fines for serious medical errors in hospitals. The new law ensured that health care providers face real consequences when they fail to protect patients. For facilities, fines for disclosing private medical information range up to $250,000 per reported event.

AB 211 by Assemblymember Dave Jones (D-Sacramento) requires health providers to prevent unlawful access, use or disclosure of patients' medical information and hold health care providers and other individuals accountable for ensuring the privacy of patients.
 
Tags: , , , ,

Connecticut Insurance Commissioner Fines Health Net of Connecticut $375,000 for Information Security Lapses

Posted on November 9, 2010 by Colin J. Zick

On November 8, 2010, the Connecticut Insurance Commissioner, Thomas Sullivan announced that the state's Insurance Department has reached an agreement with Health Net of Connecticut to pay $375,000 in penalties levied for what the Insurance Department characterized as "failures to safeguard the personal information of its members from misuse by third parties."  This included what the Insurance Department considered untimely notification of the 2009 loss of a disk drive resulting in the loss of personal health information of approximately 500,000 Connecticut members. 

Health Net will be providing credit monitoring protection for 2 years to all Connecticut members and providers who were affected by the 2009 data breach.  Health Net also has undertaken significant steps to improve data and equipment security.  Under the terms of the settlement, none of the cost of those improvements will be passed along to Health Net members.

Sources have indicated that the overall cost to Health Net in responding to this breach has been over $7 million.  Our July 7, 2010 posting contains information about the Connecticut AG's settlement of HIPAA claims with Health Net.

Tags: , , , , , ,

Gone Baby Gone: More Massachusetts Medical Records Go Missing

Posted on September 9, 2010 by Colin J. Zick

Following on the heels of the discovery of hospital records in a town garbage dump, today's Boston Globe reported that  "computer files that possibly contained personal information on about 800,000 people connected to South Shore Hospital are 'unrecoverable.'"  However, the investigation into this breach determined that there was a low of harm risk to those individuals whose records were lost, given that the tapes in question "would require specialized equipment and software to read the information." 

Interesting, South Shore Hospital originally planned to give individual notice, but changed plans and went with the Boston Globe ad.  The Attorney General’s Office "has objected to South Shore Hospital’s revised notification plans and maintains that affected consumers should receive individual notification as originally represented by South Shore Hospital in its prior public announcements concerning the data loss."

The confluence of these events is building the pressure on state regulators to beef up existing laws and regulations about the disposal of health information -- even beyond what is already required by HIPAA and a robust set of state rules.  A particular focus of any future crackdown may be the vendors that perform much of the disposal.

Tags: , , , ,

TJX Settles Investor Lawsuit Related to Data Breach

Posted on July 7, 2010 by Colin J. Zick

According to a report in the Boston Globe, TJX has settled a lawsuit brought by the Louisiana Municipal Police Employees’ Retirement System, a TJX stockholder, which had alleged that the TJX board of directors failed to protect customers’ personal data, apparently in connection with Alberto Gonzalez breachBloomberg News has reported the case was settled for $595,000 in legal fees and an agreement regarding enhanced oversight of customer files.   There is no reference to this suit in TJX's most recent Form 10-Q

Tags: , , , ,

One Million Impacted by Blue Cross Blue Shield of Tennessee Data Breach: How Do You Remediate on that Scale?

Posted on April 13, 2010 by Colin J. Zick

Blue Cross Blue Shield of Tennessee announced last week that nearly 1 million of its members have been affected by the theft of hard drives containing unencrypted personal data.  BCBSTN had previously announced in January that 1.6 million files with unencrypted personal and protected health information of about 500,000 members in 32 states were breached in October 2009, due to a theft of 58 hard drives.

While the breach itself is significant for its size, the subsequent remediation efforts are also worthy of note.  As of April 2, a total 998,422 current and former BCBSTN members have been identified and 550,873 notifications have been sent indicating that their personal information was included on the stolen hard drives. 

BCBSTN has published a detailed analysis that explains how it has gone about remediating the breach.  The affected individuals have been broken into tiers. There are 238,589 members in the Tier 3 category – who had the most data on the stolen hard drives (their name, address, Blue Cross member ID number, diagnosis, Social Security number and/or date of birth).  Those in Tier 3 have been sent a notification detailing the services available to them through BCBSTN. They will receive free credit monitoring for one year, free identity monitoring and access to the Kroll ID TheftSmart program free for one year. 

Another 312,284 current and former members fell into the Tier 2 category (they had their name, address, Blue Cross member ID number, date of birth and/or diagnosis on the hard drives).  An additional 447,549 current and former members were placed in the "lowest" category – Tier 1 -- for having their name, address, Blue Cross member ID number and/or date of birth on the hard drives.  Those current and former members in Tiers 1 and 2 will receive access to the Kroll ID TheftSmart program free for one year.

Tags: , , , ,

Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit

Posted on January 13, 2010 by Colin J. Zick

In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 enrollees in Connecticut and for failing to promptly notify consumers of the security breach.  AG Blumenthal is also seeking a court order to require Health Net to encrypt any protected health information (“PHI”) contained on a portable electronic device.

The AG’s suit stems from events that occurred in May 2009, when he alleges Health Net learned that a portable computer disk drive disappeared from a company office. The disk contained protected health information, Social Security numbers, and bank account numbers for approximately 446,000 of its past and present Connecticut enrollees.  AG Blumenthal further alleges that Health Net failed to promptly notify his office or other Connecticut authorities of this missing information. The missing information is said to include 27.7 million scanned pages of over 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records.  

According to an investigative report by Kroll Inc., a computer forensic consulting firm hired by Health Net, the data was not encrypted or otherwise protected from access and viewing by unauthorized persons or third parties, but rather was viewable through the use of commonly available software. The Connecticut Attorney General alleges that it was not until six months after Health Net discovered the breach that it posted a notice on its website, and then sent letters to consumers on a rolling mailing basis beginning on November 30, 2009.

Tags: , , , , ,

Encryption Used By Hackers to Demand Ransom for Virginia Prescription Database

Posted on May 5, 2009 by Colin J. Zick

Wikileaks is reported to have published a copy of the ransom note (please pardon the grammar and language in the original): "I have your [expletive] in *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions.  Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password."  Neither the Wikileaks site nor the Virginia site is not accessible as I write this.  A spokesman for the FBI's Richmond, Virginia office said today that the agency was investigating a referral from the Virginia Information Technologies Agency.  Assuming this breach is real, it carries with it a certain amount of irony, in that encryption is being used as part of the extortion plot. Could this breach have been prevented? It is also hard to believe that hackers would be able to access the backup files as well. There are more questions than answers at this point, but there will surely be lessons to be learned.

Tags: , , , ,

Another Day, Another Celebrity's Hospital Record Breached

Posted on April 2, 2009 by Colin J. Zick

It seems an inevitable consequence of modern celebrity: when you go to the hospital, hospital workers will look at your records (even though they have no medical reason to). The latest example of this involved the infamous mother of octuplets, Nadya Suleman. It resulted in the firing of 15 hospital workers at Kaiser Permanente’s hospital in Bellflower, California. All these violations have been reported by Kaiser to the California Department of Public Health. 

But this isn’t really news. The hospital records of other celebrities (like Britney Spears, Farrah Fawcett and Gianni Versace) also have been improperly accessed in recent years. The real issue raised by these events is: what lesson do we take away for compliance purposes to prevent it from happening in the future? The vigilant CIO sends these examples around to his/her staff to remind them of these pitfalls. And when you learn of celebrity in your midst, you should specifically warn staff not to pursue the records of individuals for matters that do not concern them on a professional basis; you might even consider special additional security precautions. There will always be more of these types of breaches, but it doesn’t have to happen at your company if you continually remind people about their obligations to maintain confidentiality. 

Tags: , , , ,