Later On

A blog written for those whose interests more or less match mine.

Your health data are not guarded very well

leave a comment »

And why not? Because the companies housing the data have no reason to spend money on it: if the data are stolen, the company suffers no real loss or penalty. Why spend money to guard data if losing it costs them nothing?

Read this ProPublica article by Charles Ornstein:

It’s hard to keep track of even the biggest health data breaches, given how frequently they seem to be happening. Just Tuesday, health insurer Premera Blue Cross disclosed that hackers broke into its system and may have accessed the financial and medical records of some 11 million people. The intrusion began last May but wasn’t discovered until January and wasn’t shared publicly until this week.

Among the information that may have been taken about the insurers’ members and applicants: names, dates of birth, email addresses, street addresses, telephone numbers, Social Security numbers, member identification numbers, bank account information, and claims information, which may include sensitive medical details.

Premera’s announcement comes weeks after another health insurer, Anthem Inc., announced that it too had been hacked—and that the records of nearly 80 million people were exposed.

The task of investigating medical data breaches falls to the Office for Civil Rights, a small agency within the Department of Health and Human Services. Its staff of about 200 investigates thousands of complaints every year, large and small. Last month, ProPublica reported how, as the number of breaches has increased, the office infrequently uses its authority to fine organizations and health providers that fail to safeguard patient records.

The office’s director, Jocelyn Samuels, spoke on Monday to health privacy and security experts gathered in Washington, D.C., for the National HIPAA Summit, named for the Health Insurance Portability and Accountability Act. This 1996 federal law protects the privacy and security of patient records. Her speech preceded Premera’s public disclosure.

After her talk, Samuels sat down with ProPublica to talk about the current state of health privacy. The conversation has been edited for length and clarity.

Q. To start off with, the Anthem breach is still at the top of mind for so many people. Does this change the landscape in terms of health data breaches?

A. We won’t know until after we have investigated what the causes of the Anthem breach are or were, or whether there are concerns about HIPAA compliance. But I think that it illustrates both the increasing risks that exist in the cybersecurity space and the need for covered entities [health providers and others subject to HIPAA’s requirements] to continue to update and evaluate their risk analyses to ensure that their risk management plans adequately anticipate all of the kinds of threats they may face.

Q. I received a breach letter from Anthem [informing me that my data was accessed] and I heard from a lot of people who did. One of the things that they say is, ‘I don’t even know what to make of this. What of mine was taken? Will it be used against me?’ How do you advise them what to do?

A. We will be evaluating the kinds of information that was compromised and the source of the breach and the harm that accrued to the different individuals. Those are all question that I think will inform the work that we do in this space and we will have further answers as we learn more.

Q. Since HIPAA was passed in 1996, how would you say the state of play has changed with respect to patient privacy and the security of records? . . .

Continue reading.

The Ornstein article includes an interesting sidebar:

Over 1,100 Health Data Breaches, but Few Fines

Since October 2009, health care organizations and their business partners reported 1,163 large-scale data breaches, each affecting at least 500 people, to the U.S. Department of Health and Human Services. Of those, seven breaches have resulted in fines. Explore the app.

And definitely click that link to explore the app. The number of breaches is astonishing, but since the companies don’t have to pay anything, they don’t really bother to protect the data.

Also, Andrea Peterson reports for the Washington Post:

Last year, the fallout from a string of breaches at major retailers like Targetand Home Depot had consumers on edge. But 2015 is shaping up to be the year consumers should be taking a closer look at who is guarding their health information.

Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009, according to Department of Health and Human Services data reviewed by The Washington Post.

“That’s a third of the U.S. population — this really should be a wake-up call,” said Deborah Peel, the executive director of Patient Privacy Rights.

The data may double-count some individuals if they had their information compromised in more than incident, but it still reflects a staggering number of times Americans have been affected by breaches at organizations trusted with sensitive health information. And the data does not yet reflect the hack of Premera, which announced this week that hackers may have accessed information, including medical data, on up to 11 million people.

[Read: Premera Blue Cross says data breach could affect 11 million people]

Most breaches of data from health organizations are small and don’t involve hackers breaking into a company’s computer system. Some involve a stolen laptop or the inappropriate disposal of paper records, for example — and not all necessarily involve medical information. But hacking-related incidents disclosed this year have dramatically driven up the number of people exposed by breaches in this sector.

When Anthem, the nation’s second-largest health insurer, announced in February that hackers broke into a database containing the personal information of nearly 80 million records related to consumers, that one incident more than doubled the number of people affected by breaches in the health industry since the agency started publicly reporting on the issue in 2009.

“We are certainly seeing a rise in the number of individuals affected by hacking/IT incidents,” Rachel Seeger, a spokesperson for HHS’s Office for Civil Rights, said in a statement. “These incidents have the potential to affect very large numbers of health care consumers, as evidenced by the recent Anthem and Premera breaches.”

And some cybersecurity experts warn this may only be the beginning. “We’re probably going to see a lot more of these happening in the coming few months,” said Dave Kennedy, the chief executive of TrustedSEC.

Health organizations are targets because they maintain troves of data with significant resale value in black markets, Kennedy said, and their security practices are often less sophisticated than other industries. Now that some major players in the market have come forward as victims of cyberattacks other organizations are likely to take a close look at their own networks — potentially uncovering other compromises, he said.

“The information that companies like Anthem and Premera had is more valuable than just payment card information held by retailers or financial institutions,” said Scott Vernick, who heads up the data security and privacy practice at law firm Fox Rothschild. Credit card information has a relatively short shelf life, with new cards issued on a regular basis, he explained. But a health organizations often have complete profiles of people including Social Security numbers and medical health information that is much more difficult if not impossible to change.

[Related: Yes, we’re still using dumb passwords. But not nearly as much as before.]

Some of the data can be used to pursue traditional financial crimes — like setting up fraudulent lines of credit, Kennedy said. But it can also be used for medical insurance fraud, like purchasing medical equipment for resale or obtaining pricey medical care for another person.

This type of scheme is often . . .

Continue reading.

Congress could do something about this except that Congress can’t seem to do anything.

Written by LeisureGuy

20 March 2015 at 4:06 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.