Top Five Data Security Risks For Healthcare Organizations

ComplianceHome reported the results of a study by Absolute Software Corporation, a provider of computer theft recovery, data protection, and hardware tracking solutions. Absolute identified the five computer security risks health care facilities most often encounter that produce data breaches.

If you are a new I've Been Mugged reader, a data breach is when a person accesses the personal data they are not authorized to access. Data breaches lead to identity theft and identity fraud. According to the article:

"Identity theft as a result of stolen or misplaced computers that contain sensitive information is an escalating problem. According to privacyrights.org, there were at least 46 US data breaches involving 62 stolen or lost computers at healthcare facilities in 2007, resulting in almost five million compromised identities."

That means that health care facilities (e.g., hospitals, health clinics, etc.) in 2007 alone, exposed the personal data for about five million consumers (e.g., patients, employees, former employees, contractors, etc.), making it easy for criminals to commit identity fraud. Absolute found these five computer security risks:

1. "Failure to Protect Sensitive Data Beyond Encryption: According to the 2003 Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare organizations must encrypt electronic protected health information (EPHI) stored on open networks such as laptops... lost or stolen mobile computers cited as the cause of nearly 50% of data breaches..."
2. "Inability to Accurately Manage Mobile Computer Assets: In order to achieve HIPAA compliance, healthcare organizations must be able to audit how many computers they have in their inventory, where they are assigned, who is logging into them, what software is installed and where the computer is physically located. However, recent studies show that most organizations are able to locate only 60% of their mobile computer assets."
3. "Sensitive Information on Public Terminals: Many healthcare facilities allow public information to be accessed on open-air terminals, such as nursing stations, public information terminals and help stations."
4. "Difficulty Implementing a Comprehensive Data Security Plan: Healthcare facilities need to institute a comprehensive data security plan to secure computing assets and sensitive information. Asset tracking and recovery software should be part of a comprehensive approach, which also includes cable locks, encryption software and secure passwords."
5. "Reluctance to Create a Data Breach Policy: Few healthcare facilities have 'nightmare scenario' policies in place should a data breach occur. In the event of a data breach, there should be a standard procedure in place for timely notification of supervisors, law enforcement, patients and the media."

If I had to sum up this situation, it seems that too many health care facilities are in denial about protecting the sensitive data they archive, including tracking who has what equipment and a process to resolve things when a data breach happens. What a pathetic state of security! Something to keep inmind the next time you visit a hospital as a patient or as a job applicant.

Woman Claims Salem Clinic Mishandled Patient Records

Portland, Oregon-based KATU reported the following about the Salem Clinic:

"The records of some patients were apparently included in an employee handbook, according to an ex-employee. A former worker, who wishes to remain anonymous, told KATU News that everything from actual Social Security numbers to records revealing patient's ailments were part of the clinic's training binder. She also said employees were allowed to take the handbooks home. The woman said she was fired after pointing out the problem on Wednesday."

If true, this is a big data breach. It just shouldn't happen in a well-managed company. It is wrong in several ways.

First, the whistle blower should not lose their job after a company's data breach. Second, it's better to insert fake or dummy patient records in an employee training handbook that the company knows will be taken into homes.

I hope that the Salem Clinic gives all of the data breach victims at least 5 years of free credit monitoring services. I'm sure an enterprising lawyer will represent the former employee.

Credit Monitoring Service Arranged By Horizon BCBS of New Jersey Covers Minors

An I've Been Mugged reader sent me this notice from Horizon Blue Cross-Blues Shield of New Jersey. While there seems to be a corporate data breach every month involving laptop computers, this notice caught my attention because it is the first credit monitoring service I've seen after a corporate data breach which covers minors.

Recently, there have been several high-profile data breaches where the sensitive data of minors was stolen or exposed, along with the sensitive data of the adult employees, former employees, and/or customers. In  January 2008, InformationWeek magazine reported the data breach at Horizon BCBS of New Jersey involving yet another stolen laptop computer:

"Horizon Blue Cross Blue Shield of New Jersey has notified its members that an employee laptop computer containing personal information -- including Social Security numbers -- for about 300,000 individuals was stolen in early January... On its Web site, the company says a "security feature was initiated" on Jan. 28 that "destroys all the data on the stolen computer." Horizon Blue Cross Blue Shield of New Jersey says the personal information contained on the computer also included names and addresses of members, but no medical data."

Why do employees insist on placing such large amounts of sensitive data on laptops? This is not a good data security habit. I can't imagine what application requires 300,000 customer records on a single laptop. 30 records sounds reasonable. 300 records sounds like a stretch. 300,000 records is just ridiculous. It gives the impression that Horizon does not (and has not) train its employees on effective data security practices.

The good news here is that Horizon notified its members promptly, within 30 days. (Contrast that with IBM, which took over 2 months to notify me and others.) And parents can monitor their children's credit reports. Sadly, identity thieves abuse minors' sensitive personal data in the same ways as adults'.

However, like most other companies, Horizon offered its ID-theft victims, including minors, only one year of free credit monitoring service. Horizon arranged its credit monitoring service offer with the Family Secure service, operated by the Experian credit bureau.

While Horizon is free to arrange credit monitoring service with whichever provider it chooses, some may consider one year of free credit monitoring service an example of good corporate responsibility, I do not.

The risk period where identity thieves can abuse this personal information is far longer than one year. Regardless of what Horizon says in its data breach letter, the ID-theft victims have to plan for the worse and monitor their credit reports indefinitely... far longer than one year.

Horizon's ID-theft victims should also place a Security Freeze on their credit reports. (Not a Fraud Alert, but a Security Freeze. There is a huge difference.) With only one year of free credit monitoring, Horizon has shifted the risk and financial burdens from itself to its members.

That's an example of not being a responsible corporate citizen.

Appeals Court Upholds Verdict in Sloane v. Equifax

A recent FindLaw article by Anthony Sebok reported:

"The U.S. Court of Appeals for the Fourth Circuit recently upheld a sizable verdict against a credit agency for failing to promptly and efficiently aid a victim of identity theft. The decision in Sloane v. Equifax Information Services does not break new doctrinal ground. It does, however, underscore how identity theft could become a headache not only for individual consumers, but large financial reporting companies."

In 2003, Suzanne Sloane (Sloane) had her SS# stolen at Prince William Hospital in Virginia by a hospital employee named Shovana Sloane. The identity thief quickly ran up a $30,000 debt in Sloane's name. Sloane contacted Equifax of the theft and provided appropriate documentation of the fraudulent charges according to Equifax's instructions. Shovana Sloane was later arrested and convicted of the identity theft crime. At the jury trial, Equifax was found liable through its incompetence to have compounded the problem and never accurately fixed Suzanne Sloane's credit report.

"Finally, in November 2005, Sloane sued all three of the national credit reporting agencies, the Prince William Hospital and the employment agency that had helped place Shovana Sloane. Sloane settled with all the defendants but Equifax."

Here's the most important part of the story for consumers:

"Sloane sued the credit agencies under the Federal Credit Reporting Act, a 1968 law Congress passed to protect consumers from negligently-maintained credit records. The law sets out requirements to ensure that credit reporting agencies maintain accurate records, and it provides for a private right of action by injured consumers, who may seek to recover damages in the event that a credit reporting agency negligently violates any of the statute's requirements. At trial, the jury found that Equifax had violated the FCRA and awarded Sloane $106,000 in economic losses and $245,000 in mental anguish."

The Appeals Court did reduce the amount of Sloane's award to $150,000. Maybe the credit bureaus will now take identity theft more seriously. In my opinion, the reduction was unwise since identity theft strikes at a consumer's ability to take care of their self and their family. In his article, Sebok correctly concludes:

"As the Fourth Circuit itself noted, FCRA cases are changing. Whereas errors used to arise from simple carelessness within the banking industry itself, the possibility of the errors' resulting, instead, from identity theft, as occurred here, is increasing, along with the ubiquity of the Internet, Wi-Fi, and smartphones. Credit reporting agencies will be the means by which much more misinformation will be "published" and the consequences of lax practices for correction will grow even more severe."

Doctors May Be Fined For Not Protecting Patients' Data

From the ZDNet U.K. site:

"Doctors who lose confidential patient information should be held accountable for the loss, according to the Information Commissioner's Office. Information commissioner Richard Thomas, giving evidence at a House of Lords Constitution Committee inquiry into data collection and surveillance on Wednesday, proposed that a doctor who is found to be "flouting data-protection principles" should be fined £5,000 by magistrates, or alternatively face an unlimited fine in a Crown Court."

I agree 1,000 percent. Given the problems with identity theft in the healthcare industry, this should be the law here in the USA, too.

Attempts To Stop Medical Identity Theft

From the North Carolina News & Observer:

"About six months ago, Family Medical Associates of Raleigh started taking photos of its patients to add to its permanent electronic file. That way, when someone comes in for an appointment, the administrator can quickly pull up the medical records and confirm that the person seeking treatment is indeed the correct patient, said Janet Spangler, administrator for the practice."

Medical identity theft is a problem needing more discussion:

Medical identity theft occurs when someone uses another person's personal information to get medical services or prescriptions or collect money from medical claims.

Most of the attention on identity theft so far has focused on financial fraud: opening credit or getting loans in another person's name; using another person's credit card number; and stealing from another person's financial accounts.

From an MSNBC news article, why consumers should check the accuracy of their medical files:

"...if an identity thief presents himself at the hospital in your name and is identified as having a different blood type, that blood type ends up registered in your medical history, with potentially disastrous consequences if you end up in a serious accident. Or suppose you apply for a new job. Even if you’re fit as a fiddle, you could still fail a pre-employment medical screening or be rejected for company-provided health insurance because of the inaccurate presence of an ailment in your medical history that you don’t have."

The same MSNBC article reports medical identity theft as a growing problem:

"In a report last year, the World Privacy Forum found that the number of Americans identifying themselves in government documents as victims of medical identity theft had nearly tripled in just four years, to more than a quarter-million in 2005. Motives for medical identity theft can vary. Some thieves, as in these cases, are seeking controlled medications. Others are seeking federal money."

8 Out of 10 Medical Bills May Contain Errors

There's an excellent article in the Washington Post about how to read hospital medical bills so you can determine if they are accurate. Inaccurate hospital bills can cost you money; either you end up paying more than you should, or somebody else may be using your benefits (medical fraud). Some tips from the article:

"Reviewing your EOB before you get a bill is the best way to track your medical expenses. If your insurer offers you the ability to review your EOBs online, sign up; if you can receive e-mail alerts, even better. Susan Johnson, a senior consultant at Watson Wyatt Worldwide, advises checking that the name, address, insurance group and identification numbers are correct. If they are inaccurate, it might mean that you have received someone else's EOB by mistake, or, more worryingly, that someone is using your health benefits without your consent."

"Next, check the claim activity to ensure that the name of the health care provider, services rendered and dates tally with your recollection. "Sometimes you can get billed for tests you didn't have," says Johnson. Often this is due to a clerical error; however, multiple procedures for which you have no memory of receiving and/or surprisingly high charges can signal insurance fraud."

All medical plans offer an appeals process. It's best to use it and to submit any appeal requests in writing. Often, you may need a the services of a medical bill advocate. This article offers plenty of useful advice.