[BreachExchange] Syracuse hospital data breach part of massive national problem

Destry Winant destry at riskbasedsecurity.com
Wed Nov 14 02:59:56 EST 2018


https://www.syracuse.com/news/index.ssf/2018/11/syracuse_hospital_patient_data_breach_part_of_massive_national_problem.html

SYRACUSE, N.Y. - The exposure of private medical information at SUNY
Upstate University Hospital is part of a rapidly growing national
problem.

So far this year 359 health information breaches at hospitals, health
insurers and other organizations have been reported to the federal
government.

Breaches involving 176.4 million health records occurred in the US
between 2010 and 2017, according to a recent study published in the
Journal of the American Medical Association.

Upstate announced Friday an employee inappropriately accessed the
medical records of 1,216 patients between Nov. 3, 2016 and Oct. 23,
2017 without having a legitimate reason to do so. The employee no
longer works at the hospital. Upstate said it was contacting affected
patients.

The hospital reported the breach to the U.S. Department of Health and
Human Services Office for Civil Rights, which investigates violations
of the Health Insurance Portability and Accountability Act, or HIPAA,
a federal law that safeguards medical information.

Upstate could face federal fines ranging from $100 to $50,000 per
violation if an investigation shows it was negligent. The Office for
Civil Rights also brings criminal charges in some HIPAA cases.

Anthem, the nation's second-biggest health insurer, recently agreed to
pay the federal government a record $16 million fine after the
personal medical information of 79 million people was exposed in a
cyberattack on the insurer's computer system.

Upstate said the former employee, who it did not identify, has not
been charged with a crime.

Upstate said it does not believe any patient information was misused
by the employee. Social Security numbers, insurance identification
numbers, credit card information and other types of information often
used by identity thieves were not compromised.

But the breached information included patient names, ages, diagnoses
and services received.

Lee Barrett of the Electronic Healthcare Network Accreditation
Commission, an independent nonprofit group, said patient data breaches
are on the rise because a medical record is worth $500 to $800 on the
black market.

The information in a medical record can be used to submit fraudulent
insurance claims, obtain medical devices, get prescription drugs and
blackmail people, Barrett said.

Barrett said breaches also are increasing because many organizations
don't have the proper procedures, policies and controls in place to
protect medical records.

Upstate did not say why the former employee accessed the records.

Barrett said disgruntled employees sometimes do this to get back at
their employers.

He said Upstate patients affected by the breach should check their
medical records to make sure they are accurate. Barrett also
recommended they check their employer's records to make sure they
don't include diagnoses they do not want disclosed.

Upstate said affected patients should be alert to suspicious activity
that could result from the breach. Patients, for example, could be
contacted by someone who has this information and attempts to obtain
additional information that could be used for identity theft.


More information about the BreachExchange mailing list