Data Breaches Come in Many Forms
By Dennis Kennedy, Dressman Benzinger LaVelle psc
Reports of data breaches are appearing in the media at an alarming rate. No one industry is safe from cyber attacks. In fact, recent attacks have been made against financial institutions, retail outlets, and health insurance companies. Most recently, Anthem announced a data breach affecting more than 80 million current and former customers. While cyber attacks across various industries have been grabbing the headlines, data breaches come in many forms.
In December 2014, a nonprofit behavioral health care organization with five facilities settled with the United States Department of Health and Human Services (“DHHS”) for potential violations of HIPAA related to the breach of electronic protected health information affecting 2,743 individuals. The breach was caused by malware that compromised the security of its information systems. More specifically, the facility failed to update their information technology resources with available patches and it was running outdated and unsupported software that made it susceptible to malware.
Once again, cyber attacks are not the only form of data breaches. Breaches occur when protected health information is left unsecured on mobile devices that are stolen. In these types of instances, thieves target the devices not necessarily the data, whether it is a laptop, tablets, or other handheld devices. In April 2014, according to the DHHS, two entities paid $1,975,220 to resolve potential violations of HIPAA related to stolen laptops that contained unsecured protected health information.
Breaches occur when information systems are left open to the internet due to faulty safeguards. In May 2014, two entities participating in a joint arrangement settled with the DHHS for $4.8 million dollars related to potential violations of HIPAA. In this case, the breach was caused when a physician, employed by the entities to develop software applications, deactivated a personally-owned computer server on the network. The network lacked appropriate safeguards and the deactivation of the server allowed electronic protected health information to become accessible on internet search engines.
In addition to breaches of electronic protected health information, breaches occur when entities fail to protect the physical records. For instance, in June 2014 a facility paid $800,000 to the DHHS to settle potential violations of HIPAA. Specifically, the facility’s employees left 71 boxes of medical records related to 5,000 to 8,000 patients, in the driveway of a retiring physician.
While all these examples identify the financial penalties paid for potential violations of HIPAA, the costs can be far greater in terms of the patients’ trust and confidence that is lost.
Finally, according to Reuters, the FBI privately warned health care providers in April 2014 that their cyber security systems were lax compared to other industries. Additionally, health care information is much more valuable to thieves than credit card information. For instance, health care information may contain patient names, dates of birth, and social security numbers, among other information. All the information to steal an individual’s identity is contained in a health record. Therefore, combine a perceived lack of sophisticated cyber security with valuable data and the health care industry looks like an attractive opportunity to hackers and thieves. Health care providers, including any business associates, must remain vigilant in their efforts to protect information, prevent data breaches, and thwart cyber attacks.
Dressman Benzinger LaVelle psc, Cincinnati, Louisville, Crestview Hills, United States
T: (859) 426-2118; F: (859) 341-6239
published: February 2015