Top 10 data breaches include public health departments
We're not quite six months into 2012, and numerous headlines have showcased some large health data breaches. Whether it's outright theft, the actions of a disgruntled employee or overall carelessness, 2012 is already chock-full of noteworthy breaches. And according to recent research, the problem is only growing.
Here are 10 of the largest data breaches in 2012... so far.
1. Utah Department of Health. On March 30, approximately 780,000 Medicaid patients and recipients of the Children's Health Insurance Plan in Utah had personal information stolen after a hacker from Eastern Europe accessed the Utah Department of Technology Service's server. Initially, the number of those affected stood at 24,000, yet, according to UDOH, that number grew to 780,000, with Social Security numbers stolen from approximately 280,000 individuals and less-sensitive personal data stolen from approximately 500,000 others. The reason the hacker was able to access this information? Ultimately, it was due to a weak password.
2. Emory Healthcare. On April 18, Emory Healthcare in Atlanta announced a data breach after the organization misplaced 10 backup disks, which contained information for more than 315,000 patients. The 10 disks held information on surgical patients treated between 1990 and 2007 at Emory University Hospital Midtown and the Emory Clinic Ambulatory Surgery Center. Of the 315,000 patient files, approximately 228,000 included Social Security numbers, with other sensitive information at risk including names, dates of surgery, diagnoses, and procedure codes.
3. South Carolina Department of Health. An employee of the South Carolina Department of Health and Human Services was arrested on April 19 after he compiled data on more than 228,000 people and sent it to a private email account. Approximately 22,600 people had their Medicaid ID numbers taken, which were linked to their Social Security numbers. Others had names, addresses, phone numbers, and birth dates stolen as a result of the act. The former employee, Christopher Lykes Jr., was charged with five counts of violating medical confidentiality laws and one count of disclosure of confidential information.
[See also: 6 lasting lessons from the 2006 VA data breach.]
4. Howard University Hospital. Toward the end of March, Howard University Hospital in Washington D.C. notified approximately 34,503 patients of a potential disclosure of their PHI that supposedly occurred in late January. A laptop, which was password protected, was stolen from a contractor's vehicle, yet, according to the hospital, no evidence suggested any patient files were accessed. The records stolen did contain Social Security numbers for many of the patients affected. Today, the hospital requires all laptops issued to Howard University Health Sciences employees to be encrypted.
5. St. Joseph Health System. In February, St. Joseph Health System, in California, alerted approximately 31,800 patients of a possible security breach at three of their organizations throughout the state. According to the system, security settings were "incorrect," which allowed for the potential breach. Information accessed didn't include Social Security numbers, addresses, or financial data, yet patients' names and medical data were vulnerable. The records at risk were mostly for inpatients who received care from February through August of 2011. The data, the organization said, would have been available through Internet search engines from early 2011 to February 2012.
Continued on the next page...
6. Indiana Internal Medicine Consultants. In early February, a stolen laptop resulted in a breach of 20,000 patient records at the Indiana Internal Medicine Consultants. The organization reported the incident about a month later, and the records were recovered. Although little information about the case exists, a lawsuit was filed as a result and an arrest was made.
7. Our Lady of the Lake Regional Medical Center. Between March 16 and March 20, a laptop was stolen from a local physician office at the Our Lady of the Lake Regional Medical Center in Baton Rouge, La. The laptop contained limited health information for more than 17,000 former ICU patients, including patient names, ages, races, and dates of admission and discharge from the ICU. The organization said there is no evidence the information had been misused, or that there was any malicious intent. As of May, the investigation was still underway.
8. Memorial Healthcare System. On January 27, Memorial Healthcare System in South Florida learned of an employee who accessed patient information, as well as a second employee who accessed patient information with the intent to process fraudulent tax returns. The organization notified 9,497 patients that information including names, dates of birth, and Social Security numbers were accessed, yet, according to their statement, no medical records were taken. Letters weren't sent out to those affected until April 12, in an effort to not impede on investigations conducted by law enforcement. The two employees have since been fired.
9. The Kansas Department of Aging. In January, a laptop computer, flash drive, and paper files were stolen out of a car belonging to an employee of the Kansas Department of Aging. The Social Security numbers of approximately 100 patients were stolen, while 7,000 other seniors, and their information, were put at risk. The stolen data included names, addresses, dates of birth, gender, in-home services program participation information, Medicaid identification numbers, and more. The Social Security numbers stolen were of those patients participating in the Senior Care Act program. The organization contacted those patients via phone and sent mail notifications to all others affected.
10. The University of Arkansas for Medical Sciences. In April, the University of Arkansas for Medical Sciences investigated a breach after a document wasn't properly redacted. Approximately 7,000 patients were affected after an unidentified physician sent financial information on a patient to someone outside of the UAMS offices in mid-February. The physician didn't remove all identifiers of the patients, such as names, account numbers and dates of services. Of those affected, most were in the interventional radiology program at UAMS between 2009 and 2011. The man who received the information via email claimed he hadn't released it to anyone.