- As 2013 comes to a close, we at HealthITSecurity.com took a look at some of the largest and most unusual data breaches that happened this year. From reports affecting over 4 million people to inappropriate internal employee conduct, 2013 has certainly kept us busy— and shaking our heads.
While stolen devices, be it a flash drive or laptop, are frequently a common data breach cause, the most prevalent among these particular cases was unauthorized access or disclosure. Most often, an employee abused their position to access sensitive information, or in one instance created aliases to gather information from patients.
Another trend was legal action being taken as a result of the breach. In a few cases, it was unclear as to whether or not an entity or individual responsible for the breach faced any sort of consequence, but in six out of the ten stories below, someone was being brought to court.
Number of patients affected: 840,000
The largest data breaches tend to come from an administrative office, be it insurance or healthcare facility. Horizon Blue Cross Blue Shield of New Jersey’s (BCBSNJ) tipped the scales when a pair of laptops containing unencrypted patient data was stolen from their Newark headquarters. Horizon reported the missing laptops, which held information from almost 840,000 Horizon BCBSNJ members, to the Newark Police Department on Monday, November 4. Despite being cable-locked to workstations, they were apparently stolen over the weekend. Information housed on the laptops includes names, addresses, dates of birth, clinical information, and Social Security numbers.
Affected patients were notified by mail and offered credit monitoring services. Horizon announced it would be reviewing staff education and encryption processes to prevent future incidents.
Number of patients affected: More than 6,000
Patient data was stolen from a network server connecting Anthem Blue Cross Blue Shield of Indiana, Anthem Blue Cross Blue Shield of Ohio, and Empire Blue Cross Blue Shield of Indiana. Connextions, a software solutions provider, used as a call-center by Blue Cross is thought to be the source of the breach, which occurred between Nov. 1, 2011 and Oct. 1, 2012. HHS listed the breach as a “theft, unauthorized, access/disclosure” of the data. It is believed an employee may have shared information to third parties.
Anthem notified 6,000 patients by mail, and provided identity protection services to four patients whose information was abused. The Connextions employee was terminated after incident.
Number of patients affected: 729,000
Two password-protected laptops were stolen from AHMC Healthcare’s administrative offices on October 12. The data was from patients who received care a six of AHMC’s hospitals and used Medicare. Information included patient names, payment information, diagnosis and procedure codes, Medicare and insurance identification numbers, and some Social Security numbers.
AHMC hired an auditing form to run a security risk assessment, and created a laptop encryption policy.
Number of patients affected: More than 9,000
Former Johns Hopkins East Baltimore Medical Center gynecologist Nikita A. Levy illegally recorded and saved images of patients with personal photo and video equipment during examinations. Levy was fired on February 8 after the hospital learned of his actions.
The hospital notified the Baltimore Police Department, and letters were sent to Levy’s patients informing them of the situation after police approved. It is still unclear what exactly Levy recorded or what he did with said images and videos. A class-action lawsuit has been brought against Johns Hopkins Hospital, with lawyers representing nearly 3,800 women who had been seen by Levy.
Number of patients affected: 1 patient
Audra Peterson, a pharmacist at an Indiana Walgreens, was charged with accessing customer Abigail Hinchy’s private information and sharing it with her husband, Davion Peterson. Hinchy, who happens to be Davion Peterson’s ex-girlfriend, was awarded $1.44 million dollars after a trail in Marion County, Indiana. Hinchy believed Walgreens and Peterson had not done enough to protect her data, and the jury agreed.
Walgreens, however, claimed they were not responsible for Peterson’s actions because she admitted to violating company policy. This is one of the only cases in which a company was held liable for an individual’s actions, and may set a future standard for holding both private individual and company responsible for the breach and misuse of patient information.
Number of patients affected: More than 1,000
Healthcare providers and insurers are not alone in the world of internal breaches. Between April 2003 and March 2007, Helene Michel, owner of Medical Solutions Management (MSM), a medical supply company in Hicksville, NY, stole information from nursing home patients to submit false claims to Medicare, racking up $10.7 million dollars in reimbursement. She was sentenced to 12 years in federal prison on charges of wrongful disclosure of patient information under HIPAA and Medicare fraud. Michel had posed as a wound care expert, nurse practitioner, and Dr. Elene Allonce, to gather information.
Number of patients affected: More than 4 million
A common and often annoying trend in data breaches is the theft of unencrypted devices. On July 15, Advocate Medical Group of Chicago reported the theft of four unencrypted computers from its Park Ridge administrative building. The information, reaching back to the 1990s, included patient names, addresses, dates of birth, and Social Security numbers, but no health data, for over 4 million patients.
The organization offered affected patients a year of free credit monitoring services, and planned to reevaluate its security practices. While there was no report of information misuse, affected patients have filed a class-action lawsuit against the medical group in Cook County Circuit Court, claiming Advocate did not do enough to protect their private information.
8. Hope Hospice
Number of patients affected: More than 800
Unencrypted data, even in the hands of trained employees, is always a risk, and in the case of a breach, often raises questions as to how much information should be visible and which employees have access to sensitive information. An employee of Hope Hospice in New Braunfels, Texas, sent more than 800 patient’s information to his/herself in two unsecured emails, once on December 27, 2012 and on February 22, 2013. While no Social Security numbers, addresses, or dates of birth were included, names, admission and discharge dates, insurance providers, chart numbers, and referral sources were.
Affected patients were advised to contact their financial institutions and to place fraud alerts on their credit bureau accounts, but were not offered any monitoring services by Hope Hospice. The provider has since retrained staff members, and is improving security and patient privacy practices, as well as investigating the incident.
Number of patients affected: 10,000,000
Not even the government is exempt from breach-related lawsuits. An anonymous HIPAA-covered entity in Southern California is suing 15 IRS agents for a March 11, 2011 “unlawful search and seizure” after the agents allegedly accessed and took medical records from 10 million Americans. The numbers are staggering: more than 60,000,000 records were thought to be stolen without cause, and the entity, referred to as John Doe Company, believes the 4th amendment was violated since no warrant or subpoena was authorized, and none of the records belonged to someone under any known investigation, criminal or otherwise.
John Doe Company is seeking $25,000 in compensatory damages “per violation per individual.” As of June 13, members of the U.S. House Committee on Energy and Commerce had requested the IRS answers three questions related to the incident, including IRS privacy obligations and the return of information by June 21. It is not clear if the IRS has responded.
Number of patients affected: 2,400
While the HIPAA omnibus rule only came into effect in March, making subcontractors potentially liable for a data breach that occurs as a result of their employees or practices, there are plenty of past breaches that underscore exactly why the rule was created. Over the summer of 2012, a cleaning service employee stole records from 2,400 patients at River Falls Medical Clinic in River Falls, Wisconsin. The files, which have since been returned to the medical facility, were found in suspect Gordon A Eckes III”s home on November 28, and contained names, dates of birth, insurance information, account numbers, diagnosis codes, medical chart numbers, scheduling information, and Social Security numbers.
The documents were taken from a bin of files to be shredded, and the clinic promised to update its shredding procedures.