Author: Crown Information Managment

Property Management firm fined $15,000 after Data Breach of laptop containing personal information . . .

The Massachusetts Attorney General announced that a property management firm was fined $15,000 after the theft of a company laptop containing the personal information of over 600 Massachusetts residents.

According to the Massachusetts Attorney General, an employee of the property management company had a laptop containing unencrypted personal information stolen from her car during the night. This incident was found to be in violation of Massachusetts’ Data Breach Regulation.

In addition to paying $15,000 in civil penalties the company must:

• Ensure that personal information is not unnecessarily stored on portable devices;
• Ensure that all personal information stored on portable devices is properly encrypted;
• Ensure that all portable devices containing personal information are stored in a secure location; and
• Effectively train employees on the policies and procedures with respect to maintaining the security of personal information

More than twice as many individuals have been affected by healthcare data breaches in 2013 than in 2012 . . .

So far, more than twice as many individuals have been affected by healthcare data breaches in 2013 than in 2012. And the main reason is a handful of mega-breaches. The very scary part is that three large, highly publicized data breaches have not been tallied yet. If confirmed the tally of individuals affected by breaches could surge by almost a million!  Not yet included on the 2013 list so far are:

Horizon Blue Cross Blue Shield of New Jersey:  This breach included the theft of two unencrypted desktop computers from the company’s headquarters which affected nearly 840,000 individuals.

The University of Washington Medicine:  This breach affected 90,000 patients.

Cottage Health System in California:  This breach affected 32,500 people who had their personal health information exposed on Google due to a business associate whose servers were not appropriately protected.

The key to preventing healthcare data breaches includes conducting a thorough risk analysis to identify security risks; encrypting computing devices, especially mobile devices and minimizing the amount of sensitive data stored on end-user’s devices.

Key steps to preventing healthcare data breaches of all sizes, experts say, include conducting a thorough risk analysis to identify security risks; encrypting computing devices, especially mobile gear; and minimizing the amount of sensitive data stored on end-users’ devices.

Call the IRS and inform them you believe you are a victim of identity theft . . .

Call the IRS and inform them you believe you are a victim of identity theft. (Often the way you will find out that something is amiss is when you don’t receive your refund check. It may have been issued to the thief who has assumed your identity).
Fill out IRS Form 14039 and fax or mail back to IRS.
Contact the Social Security Administration. If you contact them by phone they will tell you to contact the Federal Trade Commission.
Contact the Federal Trade Commission (877-438-4338). After you contact them by phone, you will be sent an Identity Theft Complaint Affidavit.
Contact your local police department and tell them you have been a victim of identity theft. Make sure you get a case number and follow up in a few days to get the full police report.
Contact one of the three credit bureaus: Equifax at 800-525-6285, Trans Union at 800-680-7289, or Experian at888-397-3742.
Tell them you are entitled to make a victim-of-fraud statement that will be put into your credit history. In my limited experience, Equifax the most helpful; they worked diligently to make sure I was taken care of. The service representative reviewed my credit to see if any fraudulent accounts had been opened. Fortunately I was OK.

Review your credit reports once every couple of months and look for any errors or fraud. All three companies offer a service at varying degrees of cost. Remember you are entitled by law to a free copy of your credit report at least once a year.

Don’t forget to send them a full copy of the police report. They will need this to keep your fraud alert on file for more than 90 days. All three companies are required to pass on your victim statement to the other two bureaus; however it is probably a good idea to call all three after a few days to follow up.

CHS plans to notify affected patients and offer protection…

Community Health Systems (CHS), a large network of hospitals says hackers have stolen the personal information of 4.5 million patients, including patients in Florida. Community Health Systems (CHS) operates more than 200 hospitals across the country, 26 in Florida, and 12 in the Central Florida area. The company said hackers from China broke into its computers and stole the names, Social Security numbers, birthdates, addresses and telephone numbers of the patients.

The patients affected by the cyber-attack are patients who were referred to, or seen at some physician practices affiliated with some of Community Health System hospitals. Filing with the U.S. Securities and Exchange Commission, the company says the attack happened in April and June of last year. Community Health Systems Inc. says they have removed all of the malware from its network and added protection against future attacks. The company confirms none of the stolen data included credit cards or medical information.
CHS said it plans to notify the affected patients and offer identity theft protection.

CHS plans to notify affected patients and offer protection…Community Health Systems (CHS), a large network of hospitals says hackers have stolen the personal information of 4.5 million patients, including patients in Florida. Community Health Systems (CHS) operates more than 200 hospitals across the country, 26 in Florida, and 12 in the Central Florida area. The company said hackers from China broke into its computers and stole the names, Social Security numbers, birthdates, addresses and telephone numbers of the patients.

The patients affected by the cyber-attack are patients who were referred to, or seen at some physician practices affiliated with some of Community Health System hospitals. Filing with the U.S. Securities and Exchange Commission, the company says the attack happened in April and June of last year. Community Health Systems Inc. says they have removed all of the malware from its network and added protection against future attacks. The company confirms none of the stolen data included credit cards or medical information.
CHS said it plans to notify the affected patients and offer identity theft protection.

Awards $1.44 Million . . .

A Marion County jury awarded a woman $1.44 million after a four day jury trial. The lawsuit alleged Audra Peterson, a pharmacist at a Walgreens store, improperly reviewed the prescription history of Abigail Hinchy, and divulged that confidential information to her husband, Davion Peterson, who has a child with Ms. Hinchy. The lawsuit spun out of a tangled relationship between the pharmacist, her husband and the man’s ex-girlfriend.
“As a provider of pharmaceutical service, defendant Walgreens Co. owes a non-delegable duty to its customers to protect their privacy and confidentiality of its customers’ pharmaceutical information and prescription histories,” Ms. Hinchy claimed in the lawsuit.
Walgreens was negligent in training and supervising Peterson, the suit said, while Peterson breached her statutory and common law duties of confidentiality and privacy to Ms. Hinchy.

Security and breach notification with passage of new law… On June 20, 2014, the “Florida Information Protection Act of 2014” (FIPA) was signed into law by Florida Governor Rick Scott, after it received unanimous support by the legislature. FIPA will take effect on July 1, 2014 and will replace Florida’s existing data breach notification law. FIPA dramatically increases the breadth of Florida’s data breach notification law.

• Shorter timeline to notify

• Expanded definition of “Personal Information”

• FIPA applies to “covered entities” – healthcare or not

• Mandatory notice to Florida Attorney General and production of proactive measures

• Proactive measures are now required

• Federal regulatory exemption

• Third-party vendor notification

• Unfair and deceptive trade practices Statute may be used

Federal Trade Commission Begins Enforcement . . .
The Federal trade Commission, recently announced that it will now pursue cases involving the failure to maintain the confidentiality of sensitive information about an individual when a promise to the consumer (or patient) has been made by the provider of services (such as a healthcare entity) through the Notice of Privacy Practices (NPP) or other privacy policies posted on a website.

Two recent examples of the FTCs enforcement actions were recently made public. Both present different outcomes than the penalties set from the Department of Health and Human Services’ Office for Civil Rights in its settlements tied to HIPAA enforcement.

The First is Atlanta-based LabMD. As a result of this FTC enforcement action, LabMD announced that it is closing down operations, citing the impact the investigation has had on the company. LabMD suffered a breach of patient information in 2010 when a document was inadvertently leaked from its peer-to-peer network and found on a file sharing network. This prompted the FTC to open its investigation. After two years of investigation, the FTC filed a complaint that alleged LabMD had breached the information of nearly 10,000 consumers. The FTC proposed that the company implement a comprehensive security program and submit to biannual assessments by an independent third party for next 20 years.

The second recent enforcement action involved California-based GMR Transcription, which provides transcription services to healthcare organizations. The complaint alleged that due to inadequate security around how files created by the transcriptionists were handled by GMR’s service provider, they were indexed by a major Internet search engine and made available to anyone using that search engine. The GMR breach involved sensitive information, including driver’s license numbers, tax information, medical histories, notes from children’s medical examinations, medications and psychiatric notes.

In both cases, the FTC found that the companies involved failed to provide reasonable and appropriate security for personal information on their computer networks and that this failure could lead to consumer identity theft and unauthorized disclosure of private medical information. The commission further asserted that this represented an unfair act or practice under the FTC Act. And the commission stressed that HIPAA or other statutes do not constitute a shield to protect entities from the FTC Act.

In short, what this means is that the FTC intends, to fully exercise its responsibilities when it deems it appropriate and/or necessary to protect consumers. And it means that healthcare entities have one more regulatory agency overseeing their activities. Enforcement just got tougher, and, as a result, security incidents could be far more costly.

Instead of packing peanuts, poorly shredded bank statements & emails from about fifty…
Ron Myers, a Colorado man discovered some very personal information inside a package he ordered from Walmart.com. Instead of being stuffed with packing peanuts, the box was stuffed with shredded bank statements and emails from about fifty people, including organizations like Doctors Without Borders and the NCAA.

The documents were shredded horizontally along what looked like lines in an Excel spreadsheet. “We have stakeholder reports, bank statements, and all kinds of personal information. It was like the blades and the lines on the spreadsheet lined up perfectly to cut each and every one of them, perfectly legible the whole way through. We have about forty or fifty people’s full information,”

“In the wrong hands this could have been bad,” Ron Meyers “When we opened the box we found everybody’s personal information. It looks like it went through a shredder but they shredded it wrong,” Meyers said.

Meyers says he contacted Walmart and got the runaround, so he passed the information to one of the victims: the co-chair of Doctors Without Borders of Utah. Though Meyers is doing the right thing, it leaves him wondering what would have happened had the box fallen into the wrong hands. “This would be perfect for somebody who is into identity theft. They could have gotten into email accounts, bank accounts,” Meyers said. “I’d be a little upset; I’d want to know how my personal information ended up in a box in Colorado Springs if I lived in Utah.”