Given the sensitive nature of information it must routinely collect, the healthcare industry has been a likely target for hackers for a while now. Unfortunately, companies in this industry are slow to change how they do things. Not teaching employees how to handle sensitive data and not having appropriate security measures in place is usually what causes data losses and security breaches in the healthcare industry.
In this article, we’ll explore four of the biggest security breaches in the healthcare industry in recent years. We’ll also talk about how these might have been prevented and what the industry must do to protect confidential information in the future.
Theft of Backup Tapes Exposes 4.9 Million Tricare Beneficiaries
Tricare is the healthcare program for the Department of Defense and offers health benefits to active duty military, retired military, and their family members. In 2011, some 4.9 million beneficiaries had their personal information compromised as the result of a theft of some tapes containing sensitive data.
An employee of Science Applications International Corporation (or SAIC) was responsible for transporting the tapes between facilities in San Antonio in pursuant to the contract with Tricare. In September of 2011, the tapes were stolen during a car burglary while the vehicle was parked in the SAIC parking lot.
The tapes may have included names, Social Security numbers, addresses, phone numbers, and some personal health data, including lab tests and prescriptions. While there is no actual proof that the data was accessed and misused, the tapes were not properly encrypted.
Backing up sensitive health information on tapes is a practice that many companies are abandoning in favor of Cloud storage. While data must be securely encrypted to be safe in the Cloud, at least it’s not possible to steal a physical device used for data storage.
As a result of this incident, different lawsuits were filed against SAIC and combined in one court case. The company was accused of not properly protecting beneficiaries’ information and not reporting the theft until two weeks after the incident. A court decision by a federal district judge in 2014 resulted in mostly dismissed charges.
Utah’s Medicaid Hack Exposed Information of 780,000 Beneficiaries
In March 2012, hackers presumably based out of Eastern Europe were able to circumvent the security system of the Utah Department of Technology (DTS) that houses Medicaid servers. The server had an authentication error at the password level allowing the hackers to gain access to 24,000 files.
Potential victims are the people who had their personal information sent to the state of Utah by a medical provider to determine eligibility status or who visited a medical provider within the four months prior to the breach were all affected.
The Medicaid server stored hundreds of claims in each of those stolen files. Estimates state that about 500,000 records and 280,000 Social Security numbers were stolen during this hack. Some beneficiaries had both compromised as a result of the security breach.
Consequently, DTS has moved the data over to a new, secure server. Beneficiaries whose Social Security numbers were stolen are offered credit monitoring services to help them identity theft quickly.
South Shore Hospital Pays $750,000 to Settle Data Breach Allegations
In February 2010, South Shore Hospital in Massachusetts shipped three boxes containing 473 unencrypted computer tapes to a company called Archive Data Solutions. The tapes contained confidential personal health information of 800,000 individuals.
The contract with Archive Data Solutions specified that they would erase the data on the backup tapes and resell them. However, South Shore Hospital didn’t tell Archive Data Solutions that the information on the tapes was confidential. What’s worse is that South Shore Hospital later learned that only one of the three boxes arrived at its target destination.
Obviously, South Shore Hospital had a lot to learn about the management of sensitive data. As part of the settlement, South Shore agreed to take various steps to ensure compliance with federal and state laws. Unfortunately, the settlement won’t do anything to compensate potential victims from the hassles of dealing with identity theft. On the other hand, there hasn’t been any proof that the information was misused even though the missing boxes have not been recovered.
Massive Data Breach at Anthem Affects 80 Million Customers
Compared to the cases previously discussed, the Anthem data breach makes the others look insignificant. In January of 2015, Anthem discovered that cyber attackers gained access to its IT system and obtained personal information for about 80 million of its customers.
Instead of merely hacking into the code, the hackers seem to have exploited what is known as the human element. Technological controls can only go so far, but the hackers were able to access Anthem’s data by obtaining network credentials for at least five high-level employees. Presumably, this was done by phishing, using fraudulent emails to get employees to reveal system IDs and passwords.
Another flaw in Anthem’s system seems to be that too many employees have had too much access to a lot of the system. In order to remain in control of data, it’s important to limit what each user can view. That’s one of the reasons behind user-based access which is an essential feature for eFileCabinet.
While Anthem is investigating the security attack along with the FBI, affected consumers can really not do anything but use free credit monitoring services to stay alert for misuse of their personal information.
Important Steps to Take to Ensure Cybersecurity
At eFileCabinet, we take security extremely seriously. All of your information is encrypted, whether it’s personal information, sensitive health or financial records, or a receipt from your vendor. If your documents are important enough to save, then they are important enough to be encrypted.
We also encourage you to train your employees to protect their IDs and passwords. Employees should never give this information out to anyone, and in order to reduce the potential for theft, it’s important to evaluate how much access is given to each of your employees.
Last but not least, we recommend moving away from storing data on physical devices, such as CDs, tapes, and laptops. The potential for thieves to obtain your information is much greater when they can walk away with the storage device, and especially if the information is unencrypted.