It’s a question worth asking your healthcare provider: are you doing the bare minimum to meet federal HIPAA standards or are you actually using common sense to protect my sensitive medical information?
That’s the concern after another data breach rocked Oregon Health & Science University. It reported on March 25 that a surgeon’s unencrypted laptop was stolen from a vacation rental home in Hawaii. The stolen laptop contained medical record numbers, types and dates of surgeries, names of surgeons of 4,022 patients, and (worst of all) the Social Security numbers for at least 17 confirmed patients.
Because the university is admitting that sensitive personal information on the laptop included patients’ Social Security numbers, it is offering these people free identity theft monitoring. OHSU has also set up a toll-free phone number (877-819-9774) to respond to patient questions about the laptop theft.
In this day and age of stringent HIPAA requirements, it’s almost difficult to believe that university officials required laptop encryption only for laptops used for patient care. The university says that because the stolen laptop was strictly used for research purposes, it was not required to use encryption.
Other sensitive personal information leaked includes:
- Patient names
- OHSU patient medical record numbers
- Type of surgery for each patient
- Surgery dates, times and locations (limited to surgeries in late 2012 through February 20, 2013)
- Patient gender
- Patient age
- Name of the surgeon and anesthesiologist
This is the second recent data breach at OHSU. In 2012, the university sent letters to about 14,000 patients and 200 employees after the theft of a flashdrive at a hospital employee’s home.
After the OHSU breach in 2012, university officials assured the public that it had taken rigid steps to safeguard information:
“OHSU has several measures in place to protect patient information, including encryption software for computers, password protections and secure programs for managing patient information and tracking usage. The university also provides extensive training to all employees who have access to patient data. In addition, the university has enacted several layers of policy to help protect this information.”
However, it is now evident that those “safeguards” did nothing to meet the strict HIPAA requirements set forth for all covered entities charged with protecting personal information. It seems the university merely met its lowest-threshold HIPAA requirements to remain compliant pursuant to the regulatory agency’s scrutiny.
After all, the university boasted that it had “several measures in place to protect patient information, including encryption software for computers” — but we now know that it only encrypted certain computers and only to satisfy minimum federal security requirements.
Medical Data Fraud Rattles the Nation
Unfortunately, medical data breaches are not just a problem in Oregon.
The Department of Health and Human Services recorded 146 breaches of protected health information affecting 2,413,397 individuals in 2012. The top 5 incidents contributed to nearly two-thirds of all patient records exposed during the entire year. Is it naive to think 2013 would be any better? Apparently it is. Not only did the OSHU incident happen in 2013, but check out other notable recent breaches:
- In January, the University of Mississippi Medical Center issued a breach notice to an unknown number of patients that it had lost a shared, password-protected laptop containing patients’ medical files. The records from 2008-2013 included names, addresses, dates of birth, Social Security Numbers, diagnoses, medications, treatments and other clinical information. The laptop is still missing.
- In February, Texas Tech University Health Sciences Center experienced a data breach affecting about 700 patients. The error occurred while processing billing statements — letters containing patients’ names, account numbers, and other personal information were mistakenly sent to the mailing addresses of other patients.
- In March, a clerk at Palm Beach County Health Department in Florida was arrested on charges of identity theft. According to the criminal complaint, the clerk obtained patient identification information, including more than 2,800 patient names and Social Security numbers from the department’s computer system and gave that information to her accomplices to file fraudulent tax returns seeking the patients’ refunds.
- And in April, the William Jennings Bryan Dorn VA medical center in Virginia alerted 7,405 veteran patients of a breach involving an unprotected, stolen laptop containing patients’ names, birth dates, weight, race, respiratory test results, and partial Social Security numbers. The laptop has yet to be found.
Calm Before the Storm
A study conducted by data security firm Redspin found that while overall data breach incidents increased 21% in 2012, the number of records exposed decreased 77%. So maybe that means a majority of healthcare facilities are taking their HIPAA responsibilities seriously, even if it’s not actually preventing the breaches altogether?
However, the study also points out that 38% of data breaches in 2012 were the result of an unencrypted laptop or other portable electronic device.
In Redspin’s opinion, hacker attacks are likely to increase in frequency over the next few years. Personal health records are high value targets for cybercriminals as they can be exploited for identify theft, insurance fraud, stolen prescriptions, and dangerous hoaxes. We expect that the low incidence rate of hacking during the past few years was the calm before the storm. It is crucial for healthcare providers to “up their game” when it comes to security defenses.”
Calm before the storm? That’s not good news but yet it’s also obvious that some medical facilities are doing the bare minimum to encrypt and safeguard our personal health information.