Data Breaches Hit 113 Health Care Organizations, Report Says

A total of 113 health care facilities have been hit with data breaches in 2010, compared with only 39 banking/finance firms, according to a July 28 report by the Identity Theft Resource Center.

Hospitals are vulnerable to insider data breaches with the multitude of doctors, nurses, lab technicians, janitors and food service personnel circulating throughout the facility, according to Jay Foley, executive director of the ITRC. 

In one incident reported by the ITRC, a former UCSF (University of California, San Francisco) Medical Center employee used fellow workers' Social Security numbers to fill out health surveys that won him hundreds of $100 vouchers for an Amazon.com shopping spree. The former employee pleaded guilty to wire fraud in federal court.

In another case cited in the ITRC report, the Colorado Department of Health Care Policy & Financing notified 105,470 clients receiving state-provided health insurance that a hard drive had been stolen containing their state ID numbers.

The organization obtained its information on the health care data breaches from the U.S. Department of Health and Human Services, Foley told eWEEK. To qualify as a breach, the data had to include financial account information, as well as driver's license and Social Security numbers, he explained.

Meanwhile, BridgeHead Software, a storage-virtualization firm, reported in its International 2010 Data Management Healthcheck survey that 69 percent of health care organizations expect their volume of stored data to increase this year. However, by comparison, only 44 percent of hospitals surveyed planned to make disaster recovery a top IT spending priority.

Frank Kenney, vice president of global strategy at Ipswitch, noted that health care facilities are not complying with HIPAA (Health Insurance Portability and Accountability Act) and regional government regulations on data privacy. Even signing your name in at the front desk in a doctor's office for all to see is a breach of HIPAA regulations, according to Kenney.

Having a nurse encrypt your signature digitally would be better, he said.

Kenney told eWEEK that full compliance and visibility as well as avoiding storage of personal medical data on flash drives and CD burners are essential measures to averting data breaches.

As Verizon reported in its 2010 Data Breach Investigations Report, in collaboration with the U.S. Secret Service, 48 percent of data breaches across all industries were caused by insiders. "There's a fairly significant amount of breaches coming from insiders who have access to the data," Kenney said.

One heavily publicized example occurred in 2008 when the UCLA Medical Center fired employees for selling the health records of Britney Spears and Farrah Fawcett to the National Enquirer.

Most hospitals are focused on preventing unauthorized access by outsiders, using firewalls, rather than preventing intrusion by insiders, said Phil Neray, vice president of security strategy for IBM's Guardium security platform, which analyzes transactions in databases for suspicious activity. "Firewalls have been insufficient in preventing unauthorized access by insiders," he told eWEEK.

On July 19, South Shore Hospital, in South Weymouth, Mass., reported the potential loss of 800,000 backup files containing personal, health and financial information of patients, physicians and other individuals connected with the medical facility.

With double the amount of data breaches for health care facilities (108) compared with banking/finance firms (39), the financial institutions are more equipped to monitor database activity than health care companies, according to IBM's Neray. "All of the major banks have implemented this technology, but very few hospitals have," he said.

Neray noted that the health information exchanges outlined under federal meaningful use guidelines of electronic medical records will centralize data in big data warehouses, thereby increasing the risk for data breaches.

The Web is a vulnerable spot as far as data breaches, noted Michael Maloof, CTO of TriGeo Network Security, which makes the TriGeo Security Information Management device. "Going through the [ITRC] report, I did see a number of cases that referred generically to server breach. The vast majority of these are from client-based breaches based from the Web," he told eWEEK.

If a breach does occur, ITRC's Foley said it's important to take a snapshot of your system to provide to law enforcement. "No matter who you had in your organization, there will always be some thief to create grief and havoc for you," he said.