By now everyone in the U.S. has heard about the employees who were fired for looking at Kim Kardashian’s medical records when she had her baby. While this story broke as a headline in all the major news outlets, most data breaches that occur in healthcare do not. So, to break that mold, I am going to talk today about some of the larger healthcare data breaches that have happened since 2009.
The U.S. Department of Health and Human Services (HHS) tracks all data breaches that include protected health information (PHI) of 500 or more individuals. From 2009-2013 there have been approximately 650 instances of a breach involving PHI. Today, I’m going to point out some of the big ones, although in proper internet fashion, I’m going to save the biggest for last.
10) Eisenhower Medical Center - 514,330 records were breached as the result of a stolen computer from Eisenhower Medical Center in 2010. This theft also included a stolen TV, which was noticed the day of the theft. The missing laptop wasn’t noticed until three days later. The data on the laptop included names, ages, date of birth, social security numbers and medical record numbers. The laptop was password protected, but the data was not encrypted. It was believed that there was no intent to sell the PII.
9) Utah Department of Health - 780,000 records were accessed by someone who hacked the Utah Department of Health network server in 2012. The hackers were able to get social security numbers for 280,000 people from a Medicaid server. This breach happened because the technician did not change the standard password, which we know leads to easy access for cybercriminals. It was estimated that the breach cost approximately $750,000. Despite spending money to increase their cybersecurity, in 2013 a USB drive with 6,000 patients’ information was lost by a third-party contractor working with the Utah Department of Health.
8) South Shore Hospital - 800,000 records were compromised at South Shore Hospital in 2010. This breach was not the result of a hacker, but instead occurred when back-up computer tapes were shipped to an agency to be erased; only one out of the three boxes arrived at the intended destination. Data on the tapes included patient names, social security numbers, financial account numbers and medical diagnoses. There have not been any reports of identity theft, but the lost tapes were never found. South Shore Hospital was sued for failure to protect PHI and had to pay $750,000.
7) Sutter Medical Foundation – In 2011 a desktop computer was stolen from Sutter Medical Foundation (seriously how did this go unnoticed? Laptop I get, but desktop?). The official number of stolen records reported to HHS that had more than basic identifying information was approximately 950,000, while the total number of records stolen was 3.3 million. None of the records contained financial information or social security numbers. Again, this was an instance of a computer that was password protected, but not encrypted. The lack of encryption led to the victims filing a lawsuit.
6) Blue Cross Blue Shield – The next breach on the list came with a more stringent reaction from HHS than just notifying patients. In 2009 Blue Cross Blue Shield of Tennessee had 57 unencrypted hard drives stolen that were stored at a leased facility. These drives contained PHI of approximately 1 million individuals. Again this breach was due to a lack of proper security, and a fine of $1.5 million was paid to HHS for violating HIPPA. Since the violation Blue Cross Blue Shield has spent an additional $17 million to upgrade their security.
5) Nemours Foundation - Nemours Foundation lost a storage cabinet in 2011. The cabinet was home to backup tapes, three of which were unencrypted. The statement claimed that the cabinet was misplaced during renovations, and that there was no indication that anyone had tried to access the information. It amazes me that they were unable to find an entire storage cabinet, but then I lose my car in the parking lot so I guess I can’t be too hypocritical. The total count of records lost was over 1 million and included financial information, social security numbers, and basic identifying information.
4) AvMed Inc. – In 2009 two unencrypted laptops were stolen from AvMed Inc.’s corporate office. Approximately 1.2 million individuals were affected by the data breach. The laptops had contained PHI, social security numbers, and basic identifying information. The information on the laptops was sold on the black market and false accounts were opened for multiple individuals who became the victims of identity theft. After going to the 11th U.S. Circuit Court of Appeals the plaintiffs won the lawsuit that AvMed Inc. did not take properly secure their information.
3) New York City Health and Hospitals Corporation - Next up is the theft of backup tapes that were being transported to a secure facility and affected employees and patients of the New York City Health & Hospitals Corporation’s North Bronx Healthcare Network in 2010. The person responsible for transporting the tapes left the van unlocked while they made another pickup, and the tapes were stolen. The tapes were unencrypted, and had 1.7 million records containing identifying information, Social Security numbers, medical record numbers, diagnoses and treatment information, and professional license numbers of certain employees. The official cost was not announced but was estimated to be around $347 million.
2) Health Net, Inc. - In 2011 Health Net, Inc. was unable to locate nine server drives that possibly contained personal data, including social security numbers and financial information of 1.9 million policyholders. Unfortunately, this was not Health Net, Inc.’s first breach; in 2008 a portable disk drive containing medical and financial information of 1.5 million customers went missing. The first data breach resulted in a lawsuit where Health Net, Inc. had to pay $250,000 for violating HIPPA. This year, Health Net, Inc. sent insurance identification cards to 6,700 members at their former addresses. The cards did not contain financial or medical information or social security numbers, but did include name, identification number and primary care physician.
1) Tricare Management - One of the largest data breaches to occur was also quite costly. In 2011 Tricare Management’s backup tapes were misplaced by Science Applications International Corporation (SAIC), who had been contracted to safely store the information. The tapes contained PII and PHI, social security numbers, prescription information and other medical information of 4.9 million patients from a military clinic. Like the breach at New York City HHC (number 3), this theft was the result of an employee who had the tapes in their car in a parking garage. The car was broken into, and the tapes were stolen. Tricare was then subjected to a $4.9 billion lawsuit and multiple civil suits brought on by individuals who were the victim of identity theft.
While it is interesting to go over some of the large breaches in the past, it points to the fact that despite our knowledge of how and why these breaches occur, we still have not prevented them from happening. This past week a story broke about an employee who sent an email containing Medicaid records of almost 18,000 patients. That is a lot of records, which leads me to believe that they probably did not have good intentions for the PHI and PII.
All of these breaches were due to human error and not having basic security measures in place. In some cases the result was simply lost information, with no consequences for the patients, but other instances show how easy it is for cybercriminals to steal information and use it to steal someone’s identity. The similarities in these stories about how the data was lost or stolen should remind us about the importance of staying up-to-date about what is happening in the healthcare cyberworld to prevent a similar attack from occurring at the agencies where we work.