10 preventable breaches from the last month alone

Posted: Sep 22, 2014
Share This:

The personal information of over 141,000 patients has been compromised, according to breach notifications submitted by just 10 covered entities in the last 30 days. The avoidable HIPAA violations took place between December 2007 and July 2014 as a result of negligent behavior by healthcare professionals and organizations.

Here’s a summary of what happened and how sfax could have prevented the breaches:

Breach type: Improper access by an employee

Memorial Hermann Health System, Houston
The earliest incident of the 10 breaches featured in this post, taking place between Dec 2007 and Jul 2014, saw 10,000 patient records put at risk after an employee improperly accessed personal information. The Electronic Medical Records (EMRs) contained names, addresses, medical record numbers, birth dates, and health insurance information, as well as some social security numbers.

Tampa (Fla.) General Hospital
The EMRs of 675 patients were improperly accessed by an employee, compromising individual’s names, addresses, birth dates, and social security numbers. It was revealed the guilty party had printed off face sheets for patients who had surgeries scheduled between Oct 2011 – Aug 2014. The duly fired employee was brought to justice after police found face sheets on an arrested individual unrelated to the hospital.

Solution: Controlling access to Protected Health Information (PHI) both in- and outside of healthcare organizations is a vital element of HIPAA-compliancy. There are 18 different identifiers under HIPAA, such as name, address and social security number, that must remain secure at every stage of handling. While educating employees about the risks when handling PHI is important, it is the responsibility of organizations to set limitations to prevent unauthorized access. With sfax, we ensure that administrators have full control to manage users. By limiting who has access, determining their permissions and assigning who can generate reports it is possible to avoid breaches by improper access to PHI.

Breach type: Unauthorized access via Business Associates

Diatherix Labs, Huntsville, Ala.
A security lapse by billing services provider, Diamond Computing Company, led to Diatherix Labs reporting a data breach affecting more than 7,000 individuals. The error is first thought to have taken place in Sept 2011 after one of its computer servers was made accessible via the Internet. It is claimed in the notification letter that PHI was not viewed until two and a half years later in March 2014. The server contained numerous forms of PHI, including patient account numbers, test dates, and social security numbers.

Children’s Mercy Hospital, Kansas City, Mo.
The personal information of over 4,000 employees was compromised in 2012 after an online scheduling system failed to meet HIPAA regulations. Data stored by Onsite Health Diagnostics, a vendor used by StayWell Health Management on behalf of Children’s Mercy Hospital in Kansas City, was made available including names, email addresses, and phone numbers.

Aventura (Fla.) Hospital and Medical Center
The largest of the 10 reported breaches here took place in June 2012, after an employee of from one of the hospital’s business associates potentially accessed over 82,000 patient records. It is reported that between Sept 2012 and June 2014 an employee from Valesco Ventures, which provides hospital physician staffing and other associated services, may have accessed the names, birth dates, and social security numbers of patients.

Solution: Choose a business associate that can ensure HIPAA-compliancy and offer a Business Associate Agreement (BAA). Sfax was born out of risk, and as such we are designed to meet the rigors of healthcare when it comes to PHI. You can prevent HIPAA violations by choosing an associate that not only meets but exceeds security regulations on a physical, organizational and technical level.

Breach Type: Hacking

Central Utah Clinic, Provo
In October 2012, hackers accessed the Central Utah Clinic server jeopardizing the records of over 30,000 patients. The breach was discovered in June 2013, and while it is not known whether any personal information was used by third-parties, patient information, such as names, birth dates, and social security numbers, was placed at risk.

Solution: Store and share sensitive documents via a HIPAA-compliant cloud-based solution rather than an office-based server. At sfax, nothing is ever stored on a local hard drive or server, where you run the risk of compromising data security. Sensitive information is rigorously protected via a plethora of security measures, find out more here.

Breach type: Theft

Beachwood-Westlake Plastic Surgery and Medical Spa, Ohio
A stolen computer led to Beachwood-Westlake Plastic Surgery and Medical Spa notifying over 6,000 patients that their personal information may have been compromised. The unencrypted device contained names and medical information.

Durham, N.C.-based Duke University Health System
An unencrypted thumb drive containing spreadsheets of individuals names, medical record numbers and physicians names was stolen on July 1 2014 from the DUHS administrative office. Containing at least 500 records, an investigation is underway to determine the scale of the incident.

St. Elizabeth’s Medical Center, Brighton, Mass.
Theft of a laptop and thumb drive from a former SEMC physician’s home led to 595 patient records being put at risk. Both devices were unencrypted and included information about patients who visited the SEMC Breast Care or hematology/oncology department between May 2011 and Jan 2014.

Cedars-Sinai Medical Center, Los Angeles
At least 500 patient records were compromised after an unencrypted laptop was stolen from an employee’s home in June 2014. Known to have contained PHI, the theft of the laptop is yet another case in a long string of data breaches due to insufficient encryption.

Solution: Verify the level of encryption enabled at every stage of data handling. Whether you are a covered entity or business associate it is vital that you take every reasonable and practical step towards protecting sensitive data. At sfax we guarantee full 256-bit SSL encryption and 2048-bit private keys and Advanced Encryption Standard (AES) for all documents and data in motion. Our state-of-the-art security is designed from the ground up to the meet the strict needs of the healthcare industry. Scrypt also makes sure that documents are never downloaded and stored on the device to avoid access to PHI on stolen equipment.