Physician’s offices and small clinics are recent targets of patient data theft creating legal obligation to notify patents of the crime under the new federal HITECH Act as well as providing concurrent notice to HHS Office of Civil Rights (OCR). A recent article in HeathLeaders Media highlighted this growing problem.

According to OCR, 11 private practices, affecting a total of 54,000+ patient records have been reported to them since this legislation to protect patient privacy went into effect in September 2009.

The risk to affected patients is medical identity theft by criminals wanting to use their information to obtain illegal prescriptions and medical services. The risk to private practices is compliance with regulations, state and federal fines for privacy violations, class action litigation, and losing patients who decide to take their business elsewhere.
Unfortunately, a breach of patient data is common. A misdirected fax, stolen laptop, or missing PDA containing patient data is all it takes.

When you suspect you have a breach of patient data, get help. A recent survey by Ponemon Institute, a research organization that studies data breach incidents found that 44% of the organizations they surveyed engaged experts. Ponemon also found those that engaged experts experience 26% lower cost and more positive outcomes including compliance with regulations, minimizing the risk of fines and class action litigation, and protecting patients from medical identity theft.

ID Experts has helped private practices and clinics, large and small effectively mitigate the risks of a data breach. If you think you have an issue, call ID Experts hot line at 866-726-4271 to discuss the case.

ID Experts today announced RADAR (HITECH Risk Assessment, Documentation and Reporting), the industry’s first expert software tool to measure a data breach incident’s risk index (IRI) by combining the severity of the episode and the sensitivity of the exposed data to quantify the incident’s overall harm threshold.  Designed for healthcare providers, HIPAA covered entities, and their business associates, RADAR was developed to efficiently and consistently meet all of the requirements for complying with the HITECH Act data breach notification provisions for security and privacy breach incident harm threshold assessment, documentation and reporting.

Security breaches are now remarkably commonplace in healthcare; more than 55 were reported to the Department of Health and Human Services (HHS) in the first six months of 2010.  In fact, healthcare is the second most breached industry, according to the Identity Theft Resource Center.  And security breaches, whether digital- or paper-based, can happen at any given moment—physical theft of a laptop from an employee’s car, deliberate abuse of system access, misdirected faxes and emails, malware attacks, unintentional human error, unauthorized access, a lost backup drive.  Additionally, the future of healthcare dictates the use of electronic medical records, raising fresh concerns of protecting patient privacy, PHI threats and medical identity theft.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, a leading researcher and voice in addressing data breach risks and issues, noted about RADAR that:

“Organizations may need guidance, especially when dealing with PHI breaches, so they cover their bases to protect individuals and follow all of the rules and laws. ID Experts’s RADAR new tool offers consistency and efficiency for evaluating and reporting a security breach, and provides the analysis and documentation required of a mandated risk assessment.”

Following any security breach, RADAR will guide the privacy or security officer to analyze the incident and exposed data to quantify the incident, determine whether the exposed information includes PHI, whether any exceptions apply, and the likelihood that the information could be misused.  The results will help companies determine the potential risk of harm to the individuals affected by each data breach incident and take appropriate steps to mitigate the potential harm to those affected, while fulfilling all of the HITECH requirements enforced by the HHS, including determining if notification is required.

RADAR is current in beta test with several leading US healthcare providers and will be generally available in August, 2010. RADAR is available as software-as-a-service on a subscription basis with pricing starting at $1,500 per user per year.

As was required under the Health Information Technology for Clinical and Economic Health (HITECH) Act, the US Department of Health and Human Services (HHS) released an Interim Final Rule for data breach notification provisions that went into effect earlier this year.

As noted by Healthcare IT News, “this coming May, HHS will also issue new proposed rules that will address additional privacy, security and enforcement requirements for HIPAA covered entities and their business associates that acquire and handle protected health information (PHI).

“The rule also toughens related provisions in the Health Insurance Portability and Accountability Act (HIPAA) as the adoption of electronic health records and health information exchange expands the number of organizations that may have access to personal data.

The proposed rule focuses on the liability of business associates of healthcare providers and plans; new limitations on the sale of protected health information; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information, HHS has said.”

These rules will continue to expand what has become a daunting regulatory environment during 2010 for healthcare organizations to that must digest numerous requirements for securing the privacy of patient health records.

Given that healthcare organizations are now obligated to report all data breaches that affect over 500 individuals to the Office of Civil Rights at HHS for posting on their website, for the first time we will be able to get a window into the actual volume and nature of data breach incidents that are occurring in healthcare. At least this should be the case, once covered entities and their business associates develop sound processes and technologies for detecting data breach incidents as required under HITECH.

Given that data breach incidents in healthcare are moving in the wrong direction, they are on the rise, it behooves all organizations entrusted with PHI to have a comprehensive data breach incident response plan in place and to have business contracts with all organizations with whom they share this data that ensure compliance with privacy rules and determine who will bear the costs of data breach notification if/when such incidents do occur.

Symantec released their Global Internet Security Report for 2009 which explores in great detail the causes of data breach incidents. It finds that hacking attacks are responsible for the majority of personal identity records exposed in 2009.

“In 2009, 60 percent of identities exposed were compromised by hacking attacks, which are another form of targeted attack. The majority of these were the result of a successful hacking attack on a single credit card payment processor.13 The hackers gained access to the company’s payment processing network using an SQL-injection attack. The attackers then installed malicious code designed to gather sensitive information from the network, which allowed them to easily access the network at their convenience. The attacks resulted in the theft of approximately 130 million credit card numbers. An investigation was undertaken when the company began receiving reports of fraudulent activity on credit cards that the company itself had processed. The attackers were eventually tracked down and charged by federal authorities. This type of targeted hacking attack is further evidence of the significant role that malicious code can play in data breaches. Although data breaches occur due to a number of causes, the covert nature of malicious code is an efficient and enticing means for attackers to remotely acquire sensitive information.”

The report also highlights trends in terms of countries that originate the majority  of cybercrime activity. Brazil and India show very rapid growth in malicious activity and are both now ranked in the top 10.

In the past, a significant percentage of data breach incidents have been attributed to carelessness.  The lost laptop is one of the most common data breach causes, especially given how few use encryption technology and how common it is for employees to have access of private data.

With the economic meltdown of 2009, and the subsequently high unemployment rates,  there is now emerging a growing trend of data breaches caused by disaffected or displaced employees.

Recently noted by San Francisco Chronicle writer Alejandro Martínez-Cabrera in his article titled “How some ex-employees turn to cybercrime“:

“Corporations across all industries have been dealing with a steadily growing number of internal data breaches since the financial meltdown. A Verizon data loss report noted that individuals with insider knowledge of organizations accounted for 20 percent of all breaches last year, and that number has been increasing as economic malaises drag on, said Chris Novak, managing principal of Verizon Business’ Global Investigative Response Team.”

“Stolen data can range from employees’ health care records or clients’ credit card numbers to merger and acquisition plans, confidential agreements or valuable source code, said Rick Kam, president and co-founder of data breach prevention firm ID Experts.

Thieves can easily sell the information to cyber-criminal rings or use it as a bargaining chip to get a job with their former employer’s competitors. According to the Ponemon Institute study, 67 percent of respondents said they would use “their former company’s confidential, sensitive or proprietary information to leverage a new job.”

‘The issue of identity theft is all about opportunity,’ Kam said. ‘And our first instinct is to protect ourselves.’

In one case handled by Kam’s company six months ago, a disgruntled man went as far as trying to extort his former employer, a large health care provider, by threatening to release thousands of sensitive patient records that would have triggered an avalanche of lawsuits.”

This past week, the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) released a groundbreaking document that is aimed at assisting the Chief Financial Officer of major corporations and organizations in managing the financial risks inherent in protecting an organization from cybercrime.

Titled “The Financial Management of Cyber Risk: An Implementation Framework for CFOs“, the document is literally a “how to” guide to understanding and addressing the finanical implications of cyber risk.

Melissa Hathaway, President of Hathaway Global Strategies and fomer Acting Senior Director for Cyberspace for the National Security Council notes that this is “an excellent guide for organizations to manage the risk and exposure derived from digital dependence.”

This paper is must reading for the CFO of any organization that has exposure to data breach risks. It is especially valuable to healthcare financial executives because of the enhanced regulatory environment in healthcare due to the recently passed Health Information Technology for Economic and Clinical Health (HITECH) Act. But CFOs in all industries and organizations that are entrusted with sensitive personally identifiable information (PII) and protected health information (PHI) should make the time to read this.

The context and perspective of this paper is best summarized in the executive summary where it states:

“Most enterprises today categorize information security as a technical or operational issue to be handled by the information technology (IT) department. This misunderstanding is fed by outdated corporate structures wherein the various silos within organizations do not feel responsible to secure their own data….In reality, cybersecurity is an enterprise-wide risk management issue that needs to be addresssed from a strategic, cross-departmental, and economic perspective. The CFO as opposed to the CIO or CSO, is the most logical person to lead this effort.”

If one were to ask the CFO at a Fortune 500 company to quantify their level of risk to cybercrime and associated risks of data breach, most would have a difficult time answering the question. Financial officers tend to defer the management of data breach risks to the information security team. Unfortunately, this leaves many organizations exposed to risks that are misunderstood, unquantified, and uncovered.

If you are the CFO of an organization of any size and in any industry — healthcare, financial services, manufacturing, retail — or in the public sector or higher education, don’t wait to read this document.

Federal agencies and regulators announced this week that LifeLock will pay $12 million to settle a complaint that it used false and misleading claims in its advertising. $11 million of the settlement will be paid to the Federal Trade Commission (FTC) and $1 million to 35 state attorneys general, all of whom worked together on this case.

The history of aggressive advertising by Lifelock, as well as Experian with their FreeCreditReport.com singing pirate ads, has been aimed at giving consumers a sense that they can prevent them from falling victim to identity theft.

FTC Chairman Jon Leibowitz said in a statement that:

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”

Illinois Attorney General Lisa Madigan concurred by saying:

“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft.”

Unfortunately, this situation illustrates how a company can parlay millions of advertising dollars into a consumer franchise based on fundamentally unsound claims. Certainly a perfect example of where a real consumer need based on a serious problem — identity theft — is being addressed by a organization that isn’t playing straight with the American people.

ID Experts today announced a new and unique solution for data breaches that involve protected health information (PHI) and associated risks of medical identity theft.

With the passage of the HITECH Act last year and the clarifying Rules published by Health and Human Services (HHS), healthcare organizations now face greater scrutiny and higher risks when it comes to patient privacy.

Historically, there has been the perception of a somewhat lax environment relative to the enforcement of HIPAA privacy regulations. With HITECH only just recently becoming enforceable, the first lawsuit has already been filed by the Attorney General of Connecticut against Health Net of Connecticut concerning their delayed response to a data breach incident that occurred months ago. If this is any indicator, the enforcement environment for HITECH is likely to be very vigorous.

With this backdrop, ID Experts created a data breach remediation offering that is tailored to meet the needs of healthcare providers and payers, and their business associates.

Until recently, common practice has been for organizations that have a data breach incident to offer victims a year or two of credit monitoring. Unfortunately, credit monitoring alone is woefully inadequate in helping individuals deal with the risks of medical identity theft and health insurance fraud. With that in mind, ID Experts created FraudStop Healthcare Edition.

FraudStop Healthcare Edition combines several components that help individuals affected by a data breach detect and address the identity theft issues that can result from a data breach. These include:

- Credit montoring

- CyberScan, a tool that scours cyberspace for the buying and selling of personal information including for use in insurance fraud

- Healthcare Identity Protection  Toolkit, a new and unique offering from ID Experts that includes a collection of tools, checklists, resources and guides for assisting an individual in monitoring their medical identity and resolving fraud issues

- Identity theft reimbursement insurance

- Fully managed identity theft restoration services

Together, this package provides the most robust offering in the market today for healthcare providers dealing with data breach risks to assist patients in ensuring their privacy.

If your organization is in the healthcare industry and subject to the HITECH Act, you now have a better and more caring answer for your patients when dealing with occasional, but typically recurring, data breach issues.

An article today in iHealthbeat titled “Innovation Inspired by Economics: 2010 Health IT Forecast” discusses trends and expectations for growth in healthcare information technologies despite the financial issues faced by many US healthcare providers currently.

“Necessity being the mother of invention, a constrained economic environment will lead to health IT innovations in two ways. First, lower cost technologies are emerging in health IT, such as open-source software, software as a service, and cloud computing, all of which will be priced lower than traditional health IT offerings. Cloud computing (the use of the Internet to store, manipulate and deliver data already existing on the Web) is seen by some health IT consultants as a useful tool in health, especially for small medical practices.”

The growth in adoption of electronic health record (EHR) systems, combined with the noted trends towards the use of open source software and cloud computing, combined with a new privacy legislation with steep penalties for breaches in security, creates a “perfect storm” for healthcare with respect to data breach incidents.

iHealthbeat article further notes the evolution of risks and new legal requirements now associated with HIPAA business associates.

“We can expect tougher privacy and security enforcement in health care in 2010 because of new and heftier privacy and security penalties written into the American Recovery and Reinvestment Act. The civil penalty cap will be raised from $25,000 to $1.5 million. This is a major issue for 2010 because nearly 60% of business associates interviewed in a HIMSS Analytics survey in November 2009 were unaware that changes to HIPAA will go into effect in 2010. That’s when consumers are guaranteed ‘prompt access’ to an electronic copy of their health records.”

Everything points toward 2010 being a very interesting year when it comes to patient privacy and data security.

Thanks to Healthcare Professionals Live for highlighting this article and the important questions it highlights.

…I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR… (continue reading)