New year, same old health data breaches

The new year brings more security woes to the healthcare industry: A spate of recent data breaches included one that was the result of a telephone scam and another due to a lost laptop.  

Among the latest:

  • At Gibson General Hospital in Princeton, Ind., a laptop containing personal information on thousands of patients was among items taken during a burglary at an employee's home. The laptop was used by an employee who required 24/7 access to patient records, according to the hospital. The hospital said the laptop had security measures in place, including password protection. Data included patient names, addresses, Social Security numbers and clinical information, but officials aren't sure what data was compromised, so officials have sent letters to all 29,000 patients treated at the hospital since 2007.
  • The University of Michigan Health System is notifying approximately 4,000 patients about a potential breach after an unsecured electronic device was stolen from the car of an employee of hospital management vendor Omnicell. The device held medication, demographic and health information from patients at three hospitals who were seen between Oct. 24 and Nov. 13, according to the Detroit Free Press.
  • A breach at the Louisiana State University health system put patient financial information at risk after a former billing department employee was charged with 377 counts of identity theft. The health system has notified 416 patients that their checking account numbers and other personal information has been stolen after a hospital employee reported counterfeit checks totaling $2,500 were written on her account, reports New Orleans TV station WVUE.
  • Information including Social Security numbers was compromised in a breach affecting 1,090 Kentucky Medicaid clients, according to the Lexington Herald-Leader. An employee of Carewise Health, a Hewlett-Packard Enterprise Services subcontractor that manages Medicaid's information management system, fell for a scam in mid-November that gave a hacker unauthorized remote access to the computer system.

"I have never seen an industry with more gaping security holes," Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University, told the Washington Post in a story last week on healthcare's security issues.

While hackers generally are looking for financial information from which they can make a profit, the potential exists for cyberterrorists to implement much darker schemes.

A recent report from the U.S. Department of Health & Human Services Office of Inspector General urged HHS to play a more ctive role in educating physicians about protecting patient data in electronic health records.

To learn more:
- read the Gibson General Hospital announcement
- here's the Free Press story
- find the WVUE report
- check out the Herald-Leader article