How to Prevent Top Three Health Information Breaches

Major breaches of patient information in 2009 break down into three types: snoopers, hackers, and those involving large quantities of data.

So let's examine the top breaches from the past year and find out what facilities can do to prevent similar problems.

California cracks down on celebrity privacy breach

In May, state regulators in California slapped a large penalty on Kaiser Permanente's Bellflower Hospital in Bellflower, CA. Regulators found that the hospital failed to prevent employees from snooping into the medical records of the so-called Octomom, Nadya Suleman, who give birth to octuplets in January 2009. The hospital failed to report the inappropriate access, which is considered a security breach.

High-profile cases where hospital employees leaked details of patients' medical conditions to the news media resulted in the new California law that permits the state to impose financial penalties on healthcare providers who don't protect patients' medical records. Fines run as high as $250,000.

Lessons learned: Be sure your workforce members know your policy and that you will hold them accountable, says Margret Amatayakul, RHIA, CPHS, CPHIT, CPEHR, FHIMSS, president of Margret\A Consulting in Schaumburg, IL. "Follow your sanction policies and be strict about them," she says.

Hackers demand ransom for prescription records

In June 2009, Virginia officials began mailing direct individual notifications to more than a half-million people whose Social Security numbers may have been contained in the Prescription Monitoring Program (PMP) database that was hacked by a criminal who demanded a $10 million ransom.

In the April 30 breach, an unidentified hacker left a ransom note at the PMP's Web site claiming to have more than eight million patient records and more than 35 million prescriptions. "For $10 million, I will gladly send along the password," the hacker reportedly wrote.

The Virginia Department of Health Professions, which oversees the PMP database, had to close the system after the breach. It reopened for registered users only after the Virginia Information Technology Agency and other law enforcement agencies cleared new security measures.

Lessons learned: "This is probably less frequent, but more difficult to protect against," says Amatayakul. Facilities need to address issues such as intrusion protection and having layered security, she says.

Facilities should look at hardening their firewall, which stops communications from going out, but also from coming in, says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR. They should also have an active patch management program in place as well as antivirus software and spyware, all of which providers must keep updated. And don't forget about remote users who also need to employ the same protection, he says.

Facilities should test their Web sites and ensure they encrypt sensitive information. Hackers look for wireless networks, which is a vulnerable spot if not secured properly.

However, "your most significant risk is not the hackers," Apgar says. The biggest risk of a breach is careless staff members who have not been appropriately trained, he says.

Major pharmacy company settles privacy breaches

The Federal Trade Commission (FTC) and HHS entered into a settlement agreement with the CVS Caremark Corp., including penalties of $2.25 million, in February for violating HIPAA and FTC rules with the inappropriate disposal of PHI. The settlement followed an investigation prompted by reports that the company discarded patient information in industrial trash containers outside some of its stores, including pill bottles.

CVS failed to secure the containers, making the patent information assessable to anyone, according to HHS. The company violated the privacy of millions of its customers.

Lessons learned: CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process, according to HHS.

Organizations run into problems when they have lax practices, says Amatayakul. "Organizations should know better, and they should secure this data," she adds.

HHS also found CVS failed to adequately train employees to discard patient information properly. Many privacy problems are really a training problem, Amatayakul says.

Facilities must also safeguard data used through mobile devices, she says. Stolen or lost laptop computers that contained patient information also dominated news headlines in 2009.