HIPAA Breach Trends 2016.5

David Schulz Cybersecurity, Featured, Guest Post, Healthcare, Uncategorized

Texas is a fat, rich target!

In the last six months, there have been 140 breaches of Protected Health Information posted on the Health and Human Service portal. A total of 4,484,936 patients were victimized.

Over the same period last year, 145 breaches affected (please read this slowly:) 94,082,873 !!

Yes, that’s Ninety-Four Million plus. Ninety-million were due to only two insurance companies’ blockbuster breaches, that of Primera and Anthem. The third mega-breach of 2015, Experian, was still a few months away.

Ignoring the mammoth breaches of insurance companies, the 2016 threat profile for healthcare provider’s looks quite a bit like last year’s. The site of three-quarters of all reported HIPAA breach incidents are healthcare providers, and a provider’s risks are divided equally between IT incursion, theft or loss of records, and unauthorized access or disclosure. Fixating only on the issue of IT network security will create robust front door locks, but leave the back door and windows wide open.

HIPAA Breach 01-07-2016
TAKEAWAY 1 – Providers are the largest (and most vulnerable) target

provider risk 01-07-2016
TAKEAWAY 2 – Guarding against theft, loss, or disposal of records AND preventing data from being accidentally accessed or disclosed are just as vital as IT network security.

TAKEAWAY 3 – Issue is Global but the Weakness is Local: Texas is a fat, rich target!

The Lone Star State contributed its fair share over the same period … where details are known, they’re provided:

  • The University of Texas System Administration – Unauthorized Access/Disclosure by Email of 794 records (Austin)
  • Medical Colleagues of Texas – Hacking of a Network Server revealed 68,631 in Katy, Texas: “The intrusion was first detected on March 8, 2016 when an office employee noticed unusual activity on the computer network of the obstetrics group. The activity was determined to be caused by an unauthorized individual who had gained remote access to the network.” http://www.hipaajournal.com/medical-colleagues-texas-hacking-incident-impacts-68k-patients-3446/
  • Val Verde Regional Medical Center – Hacking of a Server revealed 2,000 in Del Rio – March 31, 2016: Val Verde Regional Medical Center recently discovered a security breach involving a small number of the facility’s overall patient population. On or about August 9, 2015, an independent healthcare provider downloaded unsecured protected health information and emailed it to a personal account without encryption protection.”
  • Felicia Lewis, Internal Medicine Healthcare Provider Hacking Electronic Medical Record exposed 1,500 in Ennis
  • Northstar Healthcare Acquisitions Laptop Theft exposes 20,000 in Houston April 28, Northstar Healthcare Acquisitions reported to OCR a stolen laptop breach that impacted nearly 20,000 individuals.
  • Excel Plus Home Health’s Desktop Computer Theft exposes 524
  • Eye Institute of Corpus Christi Theft of Electronic Medical Records 43,961 Mar 3 Corpus Christi: the Eye Institute of Corpus Christi, a full service eye care, diagnosis, and treatment clinic in Texas, has discovered that individuals gained access to the records of all of its patients, downloaded their protected health information from the EHR, copied those data, and provided them to two physicians formerly employed by the eye clinic.
  • HealthSouth Rehabilitation Hospital of Round Rock Theft of Laptop reveals 1359 records The latest laptop theft affects 1,359 patients of the HealthSouth Rehabilitation Hospital in Round Rock, TX. An employee of the hospital left an unencrypted laptop computer in the trunk of a vehicle from where it was stolen. As with the NM Department of Health laptop theft, the incident occurred in October.
  • Oceans Acquisition, Inc. Theft of Laptop exposes 659 The theft of a laptop computer from the vehicle of an Oceans Acquisitions employee has resulted in the protected health information of 659 patients from the Abilene region of Texas being exposed.
  • WhiteGlove Health Email Unauthorized Access/Disclosure 975 “Phishing” email provided password access to network.
About the Author

David Schulz