Hackers steal tens of millions of customer records from the US' second-biggest medical insurer | The Verge. Hackers have stolen tens of millions of customer and employee records from Anthem, the second-largest health insurer in the United States, after they were able to break into a database containing personal information for around 80 million people. Anthem says the hackers were able to obtain names, birthdays, addresses, and Social Security numbers, but it does not appear that medical information or financial details were taken. Anthem insures about 37.5 million people and offers plans such as Blue Cross Blue Shield in California, New York, and 12 other states. The company says it's not yet sure how many records were stolen, but that the data has yet to appear on the black market. Thomas Miller, the company's chief information officer, said it wasn't yet clear how the hackers were able to access Anthem's database; David Damato, managing director at the company Anthem hired to investigate the breach, said the attack was "sophisticated" and used advanced custom tools.
Wisconsin clinic notifies patients of information breach that occurred last summer. Leader of Florida ID theft ring convicted. Back in June 2012, the Department of Justice announced that Alci Bonannee had been arrested and charged with ID theft in a massive tax refund fraud scheme. At the time, they found evidence that over 1,000 fraudulent returns had been filed by Bonannee and her co-conspirators between January 2011 and June 6, 2012. This week, Bonannee was convicted. Federal prosecutors claim that the ring that she headed had netted $11 million in federal tax refunds and involved the filing of approximately 2,000 fraudulent tax returns between December 2010 and June 2012. Bonannee theoretically faces 351 years in prison when she’s sentenced.
It would be nice if the DOJ press releases gave us a best guess of what the defendant will likely be sentenced to, as these “potentially faces” numbers are just not realistic. This time, however, the government’s press release does give us some information about the source of the stolen identity information: So… which hospital breach was this and did we know about it?
Omnicell health data breach details emerge. Following a Dec. 21 announcement that Omnicell, University of Michigan Health System’s (UMHS) supply management system vendor, had lost unencrypted patient information due to stolen electronic equipment, more details about the other hospitals involved in the health data breach have surfaced. In addition to the 4,000 UMHS patients notified, Sentara Healthcare and South Jersey Healthcare notified patients recently that their information was included in this breach because their information was on the stolen device as well.
Yesterday, wvec.com reported that 56,000 Sentara Healthcare patients treated between Oct. 18 and Nov. 9 at seven Sentara hospitals and three outpatient care centers in Hampton Roads, Virginia had data compromised as a result of the breach. On November 15, 2012, Omnicell learned that an Omnicell device containing some Sentara Healthcare patient information was stolen on the night of November 14th from an Omnicell employee’s locked car.
Related White Papers: Small data breach leads to $50,000 hhs settlement for hospice. In what HHS declares as “the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals,” the Office for Civil Rights (OCR) reached a $50,000 settlement and two-year corrective action plan with the Hospice of Northern Idaho regarding the theft of a hospice laptop containing health information of 441 patients. (Only in the world of HIPAA can you have “unprotected … protected” information.) OCR’s press release, continuing a recent trend, emphasized the importance of encrypting mobile devices, conducting a risk analysis, and implementing policies and procedures to address mobile device security. The press release also emphasizes that OCR is willing to take aggressive actions against entities of any size that fail to safeguard patient information.
OCR reportedly has received tens of thousands of small breach reports since the interim final breach notification rule’s compliance date of September 2009.
eWeek. Patient data stolen from Temple Community Hospital. Temple Community Hospital in Los Angeles is warning about 600 patients that their personal and medical information was taken earlier this summer. The theft occurred in early July, when someone stole a computer from a locked office in the radiology department, hospital staff announced Friday. The computer contained CT scans of patients, their names, the reason for the scans and the patients' hospital account numbers. The data included scans that occurred between Jan. 1 and July 2. The hospital has back-up copies of the scans. Hospital officials assured patients that their financial information, Social Security numbers and personal contact information was not on the computer. Patients who have further questions can contact the hospital at (888) 633-6122. Deputy U.S. marshal indicted in off-duty fatal shooting Police cruiser was stolen while running before crash into Starbucks 5 LAPD officers investigated in mother's death; family wants answers --Anna Gorman.
Laptop with data for more than 55,000 patients stolen. Data for roughly 55,000 patients at Indianapolis-based Cancer Care Group was compromised after a bag with a laptop containing the company's computer server back-up media was stolen from an employee's locked vehicle last month. The laptop, which was stolen on July 19, according to the Indianapolis Business Journal, contained names, addresses, birth dates and Social Security numbers for patients, as well as medical record numbers and insurance information. It also contained similar information about employees for the group, which boasts more than 20 oncologists.
"There is no evidence to believe that the backup media were the target of the theft or that any of the information on the media has been accessed or used for fraudulent purposes," spokesman Clyde Lee said, noted TheIndyChannel.com. According to EHR Intelligence, Lee added that the group is in the middle of encrypting all mobile media and updating policies and procedures regarding data safety. The University of Texas M.D. As Patients' Records Go Digital, Theft And Hacking Problems Grow. As more doctors and hospitals go digital with medical records, the size and frequency of data breaches are alarming privacy advocates and public health officials. Keeping records secure is a challenge that doctors, public health officials and federal regulators are just beginning to grasp.
And, as two recent incidents at Howard University Hospital show, inadequate data security can affect huge numbers of people. On May 14, federal prosecutors charged one of the hospital's medical technicians with violating the Health Insurance Portability and Accountability Act, or HIPAA. Prosecutors say that over a 17-month period Laurie Napper used her position at the hospital to gain access to patients' names, addresses and Medicare numbers in order to sell their information. A plea hearing has been set for June 12; Napper's attorney declined comment. Just a few weeks earlier, the hospital notified more than 34,000 patients that their medical data had been compromised. Ronald J. What Is A Data Breach? Hospital to Pay $750,000 to Settle Data Breach Charges Brought by Massachusetts AG. On May 24, a Massachusetts hospital agreed to pay $750,000 to settle alleged HIPAA violations relating to a 2010 data breach.
This was the largest settlement to date for actions initiated by attorneys general under HITECH. The complaint, brought by Massachusetts Attorney General Martha Coakley, resulted from the loss of back-up tapes with unencrypted personal data affecting some 800,000 individuals. The AG brought an action against South Shore Hospital alleging that it violated the HIPAA Privacy and Security rules and the Massachusetts data security regulations (“Standards for the Protection of Personal Information of Residents of the Commonwealth”) by failing to set up sufficient safeguards, policies, and procedures for information protection.
We previously reported on key points for compliance with the Massachusetts Standards. 3 Massive Security Breaches in 3 Weeks: Taking a Closer Look - IDC Insights. While the introduction of ARRA in 2009 introduced heightened enforcement, increased reporting requirements and higher penalties for security breaches, the call for attention to security matters has clearly escaped sufficient attention among many healthcare organizations' investment priorities. Healthcare providers clearly need more comprehensive security measures, and cannot afford to wait to make investments in all areas of security, in order to avoid the multiple penalties associated with security failures. 3 high profile, high volume security breaches occurred in the past 3 weeks, compromising information on and putting over 1.3 million patients at risk in total: On April 19, the South Carolina Department of Health and Human Services (SCDHHS) announced that an employee inappropriately transferred files on 228,435 Medicaid beneficiaries to his personal email account.
The information transferred included names, addresses, phone numbers, birth dates, and Medicaid ID numbers. US health insurer fined $1.5m over 2009 data breach. U.S. health insurance company BlueCross BlueShield of Tennessee (BCBST) is being fined $1.5 million for a 2009 data breach in which unencrypted information on some one million BlueCross members was stolen. According to Computerworld, BCBST is the first company in the US to face the consequences of this particular legislation.
BCBST is an independent licensee of the BlueCross BlueShield Association, which is used by almost 100 million Americans. The fine comes on top of the $17 million the company has already spent on investigation, notification and protection. BlueCross BlueShield of of Tennessee has also agreed to a 450-day "corrective action plan" that includes encrypting all at-rest data - a voluntary move that "goes above and beyond current industry standards," its press release noted.
Also, the Chattanooga-based company will monitor its workforce to ensure training and enforcement of policies and procedures. TX: Methodist Hospital employee stole cancer patients’ information for payday loan fraud. IU Health Goshen Hospital notifies applicants and patients that data may have been accessed. AP reports that Indiana University Health Goshen is notifying more than 12,800 job applicants and patients that their personal information may have been obtained illegally through a computer virus.
Hospital spokeswoman Melanie McDonald says the virus was discovered Dec. 22. An internet security company hired by the hospital was not able to determine whether any information was accessed, just that someone tried to access it.McDonald said the hospital is sending letters to 12,374 people who applied for hospital jobs in the past several years and fewer than 500 patients who pre-registered for outpatient procedures over the internet that their names, addresses and Social Security numbers may have been compromised.
The South Bend Tribune, however, reports that for patients using the pre-registration site, the vulnerable information also included their insurance information. This is the second breach reported by Indiana University in the past week. UCLA Hospitals Sued Over Patient Data Breach. Sensitive Patient Records Found Scattered At Shopping Center. Winter Storm Warning issued April 13 at 8:45PM MDT expiring April 14 at 3:00AM MDT in effect for: Alamosa, Chaffee, Costilla, Custer, Fremont, Huerfano, Las Animas, Pueblo, Saguache… Winter Weather Advisory issued April 13 at 11:41PM MDT expiring April 14 at 3:00AM MDT in effect for: Baca, Las Animas… Freeze Warning issued April 13 at 3:04PM MDT expiring April 14 at 9:00AM MDT in effect for: Delta, Garfield, Gunnison, Mesa, Montrose… Winter Weather Advisory issued April 13 at 4:43PM MDT expiring April 14 at 3:00AM MDT in effect for: Routt… Winter Storm Warning issued April 13 at 10:05AM MDT expiring April 14 at 6:00AM MDT in effect for: Delta, Gunnison, Hinsdale, Montrose, Ouray, San Miguel… Winter Storm Warning issued April 13 at 10:05AM MDT expiring April 14 at 3:00AM MDT in effect for: Delta, Eagle, Garfield, Mesa, Moffat, Pitkin, Rio Blanco, Routt… Winter Weather Advisory issued April 13 at 5:56AM MDT expiring April 14 at 3:00AM MDT in effect for: Baca, Las Animas…
Stanford Hospital Patients’ Private Data Was Posted Online. NYC: Health Records Stolen From Van, 1.7 Million People Affected. FL: Healthcare Insurance Applications Found in Trash. Last month, I posted a breach story by Robert Siciliano about a then-unnamed insurance agency that had reportedly discarded Blue Cross Blue Shield insurance applications in a dumpster. The files were found by investigator William “Cobra” Staubs, who was engaged in ”research.” Simon Barrett followed up on the incident and posted some pictures that suggest that the files may have belonged to Action Insurance Planners, LLC of Boca Raton. The agency has not issued any public statement either confirming or denying that their agency is responsible for this breach. Although the original story and Barrett’s follow-up focus on Blue Cross Blue Shield, Staubs informs this blog that there were applications for other insurance companies as well, including Cigna, Allstate, Accord, John Hancock, Aetna, and Quest, although Blue Cross Blue Shield had the most applications.
According to Staubs, the applications contained Thank you for your note concerning the possible breach of BCBSF applications. Computer Stolen Containing Research To Cure Prostate Cancer. Emily Wood, News 9 OKLAHOMA CITY -- An Oklahoma couple is urging thieves to return a stolen computer they say has the power to save millions of lives. Last Sunday, Sook Shin was carrying a possible cure for cancer on a small Apple computer with years worth of data. "I cannot eat and sleep since last Sunday," said Shin. "I'm devastated and I feel so guilty. " Shin and her husband are leading cancer researchers at an OU research lab. The two have committed their lives, working long hours often seven days a week to find a cure for prostate cancer.
"It has been a long journey up to now," said Shin. The couple stopped at Panera on north Western Avenue to grab a meal before heading back to the lab. Unfortunately, most of the data was never backed up, a mistake Shin said could be a major setback in the fight against cancer. Some of that data can never be replicated. "Please return the computer with the data saved. Geisinger reports patient security breach in Wilkes-Barre area » News » The Daily Item, Sunbury, PA.
WILKES-BARRE — The Geisinger Health System could get hit with a hefty fine because a doctor at Geisinger Wyoming Valley used e-mail to send patient information to his home computer, a possible violation of strict federal health privacy rules that took effect this year. On Monday, Geisinger announced that it notified 2,928 patients that on or about Nov. 3, protected health information was e-mailed to a home account of a former Geisinger gastroenterologist.
The information included, patient names, Geisinger medical records, procedure, indications and the physician’s brief impressions regarding the care provided. “It was a limited amount of information that was sent, and it did not include Social Security numbers, phone numbers or addresses,” said Geisinger spokeswoman Marcy Marshall on Tuesday. None of the patients are from Northumberland, Snyder, Montour or Union counties, Marshall said. Depending what the Health and Human Services finds, Seeger said the doctor could face criminal charges. Personal Health Information Privacy. Health Privacy. Lost AmeriHealth Mercy Flash Drive Exposes Data of 280,000 Medicaid Members - Health Care IT from eWeek.