One of the keys to meeting the notification requirement is completing and documenting a data breach incident “risk assessment” for each and every incident that is detected. The “rules” for carrying out this mandated assessment are specified by the department of Health and Human Services (HHS) in their rulemaking. This webinar will assist information security, compliance and privacy officers and professionals at hospitals, health insurers, and other covered entities in understanding what they need to do and how to go about doing it, when faced with a potential data breach incident.

A description of the webinar follows.

The HITECH Act requires HIPAA-covered entities to carry out a careful risk assessment, including an evaluation of potential harm, for every potential data breach incident. This risk assessment will assist organizations in deciding whether they are obligated to then notify affected individuals, the Department of Health and Human Services (HHS) and the media about data breach incidents.

Kirk Nahra, CIPP, a partner at the premier healthcare law firm Wiley Rein LLP, and Rick Kam, president and founder of ID Experts, will review and discuss the HHS rules for completing these mandated data breach incident risk assessments in order to ensure compliance and utilize evolving best practices.

Learn about considerations for HIPAA-covered entities in carrying out mandated HITECH data security breach incident risk assessments. To enroll to attend the webinar, click here.

With the economic meltdown of 2009, and the subsequently high unemployment rates,  there is now emerging a growing trend of data breaches caused by disaffected or displaced employees.

Recently noted by San Francisco Chronicle writer Alejandro Martínez-Cabrera in his article titled “How some ex-employees turn to cybercrime“:

“Corporations across all industries have been dealing with a steadily growing number of internal data breaches since the financial meltdown. A Verizon data loss report noted that individuals with insider knowledge of organizations accounted for 20 percent of all breaches last year, and that number has been increasing as economic malaises drag on, said Chris Novak, managing principal of Verizon Business’ Global Investigative Response Team.”

“Stolen data can range from employees’ health care records or clients’ credit card numbers to merger and acquisition plans, confidential agreements or valuable source code, said Rick Kam, president and co-founder of data breach prevention firm ID Experts.

Thieves can easily sell the information to cyber-criminal rings or use it as a bargaining chip to get a job with their former employer’s competitors. According to the Ponemon Institute study, 67 percent of respondents said they would use “their former company’s confidential, sensitive or proprietary information to leverage a new job.”

‘The issue of identity theft is all about opportunity,’ Kam said. ‘And our first instinct is to protect ourselves.’

In one case handled by Kam’s company six months ago, a disgruntled man went as far as trying to extort his former employer, a large health care provider, by threatening to release thousands of sensitive patient records that would have triggered an avalanche of lawsuits.”

This study, co-sponsored by ID Experts, the leader in identity breach protection, exposes some significant concerns.  It concludes that healthcare business associates, those organizations that provide services such as billing, credit bureaus, benefits management, legal services, claims processing, insurance brokers, data processing firms, pharmacy chains, accounting firms, temporary office personnel, and offshore transcription, are “unprepared for data breach”.

Further it notes that  “68 Percent of Provider Respondents Indicated that the HITECH Act’s Expanded Breach Notification Requirements will Result in More Discovery and Reporting of Incidents”.

This implies that healthcare organization are experiencing data breach incidents that in the past have either gone unrecognized or unreported. And that the new law is likely to “expose” more incidents because of the compliance requirements and the potentially large penalties for non-compliance.It also notes that a lack of preparedness and concern on the part of healthcare providers’ business associates creates a very significant risk to the privacy of their patients.

The Santa Fe Group, an industry consortium, announced today an identity crime victims’ bill of rights that proposes the rights that should be provided to all individuals and recommending an approach to legislation for adopting this bill of rights.

“The five basic rights address the need for legislation that enables individual victims of identity theft to access and correct personally identifiable information (PII) records. The Bill of Rights white paper, titled Victims’ Rights: Fighting Identity Crime on the Front Lines, is now available at http://santa-fe-group.com/whitepapers/register.php.”

The Identity Crime Victims Bill of Rights advocates improved protection and support for victims and includes:

• Assessment of the nature and extent of the crime that removes the procedural ‘Catch-22s’ when validating identity
• Full restoration of victims’ identities to pre-theft status, including the ability to expunge records
• Freedom from harassment from collection agencies, law enforcement and others
• Prosecution of offenders and accountability for businesses that fail to reasonably secure personal information
• Restitution that includes repayment for financial losses and expenses

“The white paper effort was led by the Identity Management Working Group of The Santa Fe Group Vendor Council chaired by Rick Kam, President of ID Experts (www.idexpertscorp.com).

‘Despite new additions to the Fair and Accurate Credit Transaction Act of 2003 (FACT), such as free credit reports and the ability to place fraud alerts after identity theft, victims are still subject to inconsistent and unfair treatment from state and federal agencies, law enforcement and businesses,’ said Rick Kam, President of Portland-based ID Experts, a leader in data breach prevention and remediation. ‘We created the Bill of Rights to empower victims by granting them the same rights as victims of other crimes.’”

The Santa Fe Group, ID Experts and other members of the Vendor Council will be holding meetings in Washington, DC later this spring in order to drum up support for this concept and related legislation.

The charge shows up on statements as coming from “Adele Services” in Melville, N.Y. Of course, there is no business by that name in Melville, or anywhere in New York. According to The Boston Globe, “Two theories of what is going on have advanced on message boards and among consumer advocates: Someone is trying to find out whether an illegally obtained credit card number will work before making a bigger charge, or they’re trying to rip off tiny amounts from tons of people.”

So far, most reports indicate that no larger charges have appeared yet. However, the Better Business Bureau estimates the number of victims to be in the millions. It has not yet been determined how the card numbers became compromised. It has been mostly successful since most people are likely to overlook or ignore a small charge. As former Massachusetts assistant attorney general Edgar Dworsky, told The Boston Globe, “It’s easier to steal $1 from a million people than $1 million from one person.”

This is a great reminder of why it is important to examine your monthly statements closely, and to always question charges you do not recognize no matter how small. If you let it slide, that is exactly what they are hoping for. If you have one of these charges, call your financial institution and notify them of the disputed charge. Then file a complaint with the FTC (www.ftc.gov) and the FBI’s Internet Crime Complaint Center (www.ic3.gov). It is important to lodge a complaint, even if the charge is small, as a large number of similar complaints can launch a federal investigation.

The Ponemon Institute today released a new study, sponsored by ID Experts, titled “Consumers Report Card on Data Breach Notification“. They describe the rationale and importance of this study as follows:

“It is well established that identity theft has become a very serious issue for Americans. But how well are organizations responding to consumers’ worries when their personal information is lost as the result of a data breach? We decided to conduct this study to find out if consumers who received notification about a data breach involving their personal information were satisfied with the organizations’ response and transparency. In other words, if the consumers had the ability to issue a report card on the current status of data breach notification would it be A for excellent or F for failing?”

The report provides a wealth of useful information to companies in order to effectively plan for a data breach response effort. Given an earlier Ponemon study estimate that around two-thirds of the $197 per person average cost of a data breach is in lost business and reputation, this report can assist companies in evaluating how elements of their data breach response effort can influence their customer retention rates and thereby attempt to reduce this very critical component of the cost equation.

Dr. Larry Ponemon states that:

“Data breach notifications are a failure if individuals do not have a clear understanding of their level of risk, available support, and the steps they need to take to respond to the loss of theft of their personal information. Our research strongly suggests that legal compliance is the primary goal of many companies’ notification efforts. This approach does not serve the best interests of consumers and contributes to a breakdown of trust that can impact a company monetarily as a result of increase in customer defection.”

To download a copy of this study, visit the ID Experts website and click on the New Ponemon Study link.