'Wall of Shame' exposes 21M medical record breaches

Notification, reporting part of new rules under the Health Information Technology for Economic and Clinical Health Act

Over the past three years, about 21 million patients have had their medical records exposed in data security breaches that were big enough to require they be reported to the federal government.

Since Sept. 2009, 477 breaches affecting 500 people or more each have been reported to the Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services. In total, the health records of 20,970,222 people have been compromised, the OCR said.

The Office for Civil Rights has been updating a list of the breaches on its website. The list is known to the health care industry as "The Wall of Shame," according to the OCR.

Six health care organizations listed on The Wall of Shame reported security breaches that involved one million or more records.

Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing. TRICARE, formerly known as Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), provides civilian health benefits for military personnel, military retirees, and their dependents.

Other major breached included: Health Net, which reported 1.9 million records but could ID how they were compromised; Tricare Management Activity, which reported a loss of backup tapes; the New York City Health & Hospitals Corporation's North Bronx Healthcare Network, which reported the theft of 1.7 million electronic medical records; AvMed Health Plans in Florida, which reported the theft of a laptop with 1.22 million patient records; and Blue Cross Blue Shield of Tennessee, which reported the theft of an external hard drive with 1.02 million records.

WellPoint, the largest managed health care company in the Blue Cross and Blue Shield Association, also reported 31,700 of its customer records were compromised during the three-year time period. WellPoint's breach occurred via a hack to a network server, according to the report.

The Nemours Foundation, a health care organization that runs children's hospitals, also reported the loss of 1.05 million records when data backup tapes were lost.

The breach notification and reporting is part of new rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. The rules not only require the public reporting of breeches but also increased penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA), which requires organizations to safeguard patient information.

About 55,000 breach reports involving fewer than 500 records where also reported to the OCR from 2009, according to Rachel Seeger, a senior health information privacy specialist with OCR.

Theft made up 54% of the breaches, while hacking made up only 6% of the compromised data. Theft was followed by unauthorized access or disclosure for 20%, lost records and devices for 11%, improper disposal of records made up 5% and other/unknown categories made up 4%.

"By far ... theft is the number one type of breech we're seeing," Seeger said. "We've really seen this as a commentary on crime in Amaerica where the thieves are not after the information in the laptop, but they're after the laptop."

"Most of the portable devices are being stolen out of cars or otherwise being lost. Many of these laptops are lost by an employee while in transit on public transportation," Seeger added.

Hospitals, insurance plans and physician practices can avoid penalties by simply encrypting the health care data or by destroying the electronics that house the data at end of life. Unfortunately, too few organizations are getting the message.

"We're seeing daily reports of doctors offices being broken into for the CPU, the hard drive," Seeger said. "It's not just the mobile device. It's anything electronic that people can sell."

Under the HITECH Act, there are four categories of violations that reflect increasing levels of culpability. A maximum penalty amount of $1.5 million can be levied for each violation.

To date, the OCR has fined only two organizations, but those two received substantial penalties. Other top breaches are still under investigation, Seeger said.

On March 9, Blue Cross Blue Shield of Tennessee (BCBS) was fined the maximum $1.5 million for 57 unencrypted computer hard drives that were stolen from a leased storage facility in 2009. BCBS has since encrypted all of its hard drives, representing 885TB of data. BCBS said it spent more than 5,000 man-hours on the encryption effort, which cost the company $6 million.

In June 26, the Alaska Department of Health and Social Services (DHSS) got hammered for $1.7 million, along with a three-year corrective action plan for the theft of an USB hard drive rom an employee's vehicle. The hard drive had a relatively small number of records on it, representing only 501 people. That case represents the first HHS action against a state agency.

The OCR found "long-standing non-compliance with the HIPAA Security Rules."

"The settlement is based on multiple violations of the Rule, not the number of records involved in the incident that sparked the investigation," Seeger said.

"I think the fines and the list sends a strong signal," she added.

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed. His e-mail address is lmearian@computerworld.com.

See more by Lucas Mearian on Computerworld.com.

Read more about data security in Computerworld's Data Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place