Search
Homepage This page's url is: -crn- Rankings and Research Companies Channelcast Marketing Matters CRNtv Events WOTC Jobs HPE Discover 2019 News Cisco Partner Summit 2019 News Cisco Wi-Fi 6 Newsroom Dell Technologies Newsroom Hitachi Vantara Newsroom HP Reinvent Newsroom IBM Newsroom Ingram Micro ONE 2019 News Juniper NXTWORK 2019 News Lenovo Newsroom Lexmark Newsroom NetApp Data Fabric NetApp Insight 2019 News Cisco Live Newsroom HPE Zone Intel Tech Provider Zone

Lost Flash Drive At Core Of Kaiser Permanente Data Breach

Kaiser Permanente had to notify nearly 50,000 patients that an employee reported a missing flash drive containing personal information, including medication on patients. Solution providers tell CRN to expect more breaches of this kind as hospitals and clinics struggle to keep up with regulatory mandates.

In a data breach notification letter filed with the California Attorney General's office, Kaiser Permanente Senior Vice President and Executive Director Julie Miller-Phipps said the health-care firm was informed that a USB flash drive containing the personal data was missing.

The flash drive contained the name, medical record number, date of birth and medication of patients obtaining health care at the company's Anaheim facility. The incident was reported to the firm Sept. 25 and letters to affected patients were sent out one month later.

[Related: Top Health-Care Breaches And The Rising Costs To Organizations ]

"We're making every effort to recover it, have investigated the matter and are taking appropriate steps to remedy the situation," Miller-Phipps wrote in the letter to affected patients.

The breach is one in a line of health care-related data losses that solution providers say are becoming increasingly common because of the complexity of most provider systems. Many hospitals, clinics and medical offices struggle to maintain compliance with health-care regulations because of the myriad of partners involved in delivering patient care, said Ben Goodman, President, 4A Security, a New York-based information security risk and compliance consultancy and systems integrator. Goodman said it is difficult to control data with associated partners and other contractors while maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA).

"There's exponentially more data out there in more places, and the compliance burden is the same for some little guy who is a consultant as it is for a hospital with employees located in different areas around the country," Goodman said. "Many firms don't have any kind of administrative policy enforcement tool in place."

Fines associated with failure to comply with HIPAA have increased significantly in 2013 following the movement of enforcement from the Medicare Operations Division to the Office of Civil Rights under the Department of Health and Human Services. An update to HIPAA under an Omnibus Rule that increased penalties and extended it to all business associates of health-care providers took effect in September. The Omnibus Rule uses a tier-based system to categorize rule violations with fines running from $1,000 to $1.5 million per violation.

Remediating risk and addressing security issues within a health-care environment takes time and constant vigilance, said Greg Williams, a security compliance consultant for MMIC, the largest policy holder-owned medical liability insurer in the Midwest. Most health-care organization security programs are still in their infancy, said Williams, who has been doing a mixture of data security and compliance consulting for about 15 years in the industry.

Williams said the health-care industry is facing complex issues as organizations are required to digitize medical records. "It's overwhelmed with how to address compliance and implement safeguards," Williams told CRN in a recent interview.

While stolen laptops and smartphones are typically associated with criminals out to resell the physical devices, cybercriminals are increasingly targeting health-care organizations to steal sensitive data.

A recent study by Dell SecureWorks uncovered an underground health insurance data market valued in the millions of dollars. Social Security numbers, health insurance credentials and other patient information are bought and sold via brokered online chat rooms and forums, according to the SecureWorks researchers. The data is apparently used to help illegal immigrants, criminals and foreigners obtain specialized medical care in the U.S., the researchers said.

PUBLISHED DEC. 11, 2013

Back to Top

Video

 

sponsored resources