Aetna settled a lawsuit for $17 million Wednesday over a data breach that happened in the summer of 2017. The privacy of as many as 12,000 people insured by Aetna was compromised in a very low-tech way: The fact that they had been taking HIV drugs was revealed through the clear window of the envelope.
A Florida healthcare provider, Orlando Health, is notifying patients impacted by a breach, involving insider record snooping during the treatment period, of patients brought from the Pulse Night Club Incident.
During high-profile emergency situations and other crises, it is a challenge for healthcare organizations to protect the privacy and security of patient information, from inappropriate access, of people who are part of the organizations workforce. Curiosity &snooping seem to be part of human nature. With that said, it is extremely important for healthcare organizations to be diligent in limiting access, monitoring access and providing repercussions for those who don’t follow the rules. In a letter to patients, dated July 12 2016, Orlando Health, which operates several hospitals in central Florida, said: “While conducting patient record access audits, we learned that on June 15, an Orlando Health employee accessed patient records outside of the employee’s current job responsibilities. had no reason to access these records and we believe the employee was viewing these records out of personal curiosity. The employee was sanctioned, per Orlando Health policy.” The letter goes on to state that “the employee could view limited information in electronic medical records, including patient name, date of birth, weight, hospital location, hospital account number, hospital medical record number, date and time of admission, physician and visit reason. The information did not include any other clinical information. The employee did not have access to your full Social Security number or other financial information. The information was not downloaded or printed, and we have no evidence that your information has been used in any way or removed from the hospital.” The letter does not specify that patients affected by the breach were victims of the June 12 Pulse nightclub shooting. Nor does the letter indicate how many patients were impacted by the privacy incident. It was however, reported to WFTV, “that patients receiving the letter, and in some cases phone calls, from Orlando health, were treated for shotgun and other injuries sustained at the attack.”
In a statement, Orlando Health tells Information Security Media Group: “Numerous team members across our system require access to vital records and information in order to provide our patients with the highest levels of care. All team members are made aware, that they too, have a responsibility to maintain our patients’ privacy, and protect their personal information. As a result of this incident, we are re-educating our workforce members and increasing our already vigilant program of auditing and monitoring of patient record access. Any instance of team members accessing patient records outside of their current job responsibilities violates our policies, and steps are taken internally to discipline anyone involved. We want to assure our patients that the policies and procedures we have in place protect their information, and we are continually evaluating and modifying our practices and the practices of our employees to enhance the security and privacy of all confidential and protected health information entrusted to us.”
Comprehensive government study of identity theft turns up . . .
WASHINGTON DC – Even federal regulators were surprised by what the most comprehensive government study of identity theft turned up: nearly 10 million victims and a loss of $53 billion for businesses and consumers last year alone. And those numbers probably are low because many identity thefts go unreported, Federal Trade Commission officials said Wednesday.
It is a crime of the times. It is a growing crime, said Howard Beales, the FTC’s consumer protection director. “Unfortunately, a fair number of thieves have found it’s a fairly easy way to make money.” The FTC did a random telephone survey of 4,057 adults to try to gauge the extent of identity theft crimes in the last five years. It found 27.3 million people were victimized when someone made unauthorized charges on their credit cards, took money from their bank accounts, or obtained a credit card or official document in their name.
In 2002 alone, the cost was $48 billion for businesses and $5 billion for consumers. Beales said the number of victims was higher than he expected. In 2002, for example, the FTC received 161,819 complaints about identity theft. The commission has set up a Web site with tips on how to avoid identity theft, www.consumer.gov/idtheft and urges consumers to carefully review their credit card statements each month, destroy charge slips rather than simply throw them in the trash, and check their accounts annually with the three credit reporting bureaus. |
The agency also urged financial institutions to pay more attention to whom they are extending credit. Wayne Abernathy, the Treasury Department’s assistant secretary for financial institutions, said the FTC’s report underscores the need for Congress to act. The Bush administration favors legislation that would create a national fraud alert system and improve the accuracy of credit reports. “The problem is so great and its impact on consumers so terrible that we should not delay giving consumers and law enforcers these important new tools to fight identity theft,” he said.
But Rob Schneider of Consumers Union said the administration backed bill- the Fair Credit Reporting Act – would undermine efforts to curtail identity theft. One provision would invalidate state laws such as on recently signed by California Gov. Gray Davis that lets consumers bar companies from sharing information with an affiliated firm in a different business.
The FTC survey found more than half the victims discovered the problem by checking their accounts, and another quarter was alerted by their banks to suspicious activity on their cards. Of the 9.9 million victims last year, 5.2 million discovered unauthorized charges on existing credit card accounts, and 1.5 million found new accounts were opened by others in their names.
By Jonathan D. Salant, Associated Press
1000’s of abandoned confidential client files found in public garbage bin . . .
FORT MYERS, FL – A defunct law firm abandoned tens of thousands of confidential files containing personal information on their clients for years until a landlord threw them in a public garbage bin, a local television station is reporting.
Attorneys for the former firm of Annis, Mitchell, Cockey, Edwards and Roehn, abandoned the files after their firm closed. Ten thousand files of closed cases – ranging from divorces to sexual harassment – ended up in the hands of a reporter for WBBH, the television station reported. The files have since been turned over to a local attorney who was formerly employed by Annis Mitchell. The majority of the files remain in the landlord’s possession.
The firm had offices in Tampa, Fort Myers, Naples and Tallahassee before it was dissolved in 2001. A company that was formed as a remnant of the firm has since declared bankruptcy and an order in the bankruptcy case made each Annis Mitchell attorney responsible for their client’s files. “With identity theft the way it is, everything concerns me,” said former client Howard Wheeler, who hired the firm for a number of cases and whose files ended up in the garbage bin.
“It’s totally irresponsible,” said Herb Donica, the firm’s own bankruptcy attorney. “I can’t imagine why those files aren’t protected.”
The TV station reported in broadcasts Friday that the landlord of the former law offices repeatedly contacted the firm’s partners over the past two years asking them to pick up their files. The attorneys only took active files with them, George Vukobratovich told the station. Vukobratovich threw the files out when he finally had to make room for new tenants. The TV station said it was given files marked “confidential” The station said it told former Annis Mitchell attorneys it had the files more than a month ago, but still none of the attorneys tried to get them.
Elizabeth Tarbert, an ethics lawyer for the Florida Bar Association, said attorneys have to protect client files, even if the case is no longer active. The Florida Bar advises attorneys seeking to dispose of closed files to first contact their clients and ask them what they want done with the documents. If the files are to be disposed of, it needs to be done in a way which protects confidential information, such as shredding.
Businesses become victims of financial and non-financial identity theft . . .
In hard economic times, the likelihood of businesses becoming victims of financial and non-financial types of identity theft rises. One of the most well-known business and corporate identity theft schemes is standard electronic data breaks, or hacking, to retrieve a customer’s personal identification and information. But new trends include the theft and exposure of sensitive information by an employee of the company, and the abuse of a business’s line of credit by employees in order to purchase merchandise that is then resold.
To avoid such theft and fraud, businesses should identify privacy officers or assemble a team to enforce the rules regarding sensitive customer and employee information. Businesses should also ensure all electronically stored information is safe. Educate employees on identity theft and fraud, and the risks they can expose the company to just by visiting web sites, replying to e-mails from unknown senders, and shopping online at work!
An easy way for identity thieves to make a living . . .
Kessler International, a New York computer forensics firm conducted a six month study on the availability of information left on computers being resold. The company bought a total of 100 disk drives of various sizes from eBay and what they found was alarming – over 40 of the hard drives had retrievable information on them!
The breakdown of information is as follows:
Personal and Confidential documents, including financial information 36%
Corporate Documents 11%
Web Browsing History 11%
DNS Server Information 4%
Miscellaneous Data 4%
Many companies have recycled their old computers and hardware, without thinking about the repercussions of identity theft. They have no system in place that documents the destruction of the information. During tough economic times this becomes an even greater risk both to the company and the contacts of the user of each individual computer. Buying a used computer has now becomes one of the easy ways for identity thieves to make a living.
Total estimated risk of ID theft in US at approximately $1.5 billion . . .
Panda Security, a world leader in IT security, announced the findings from a comprehensive identity theft study conducted by PandaLabs, the company’s malware analysis and detection laboratory.
PandaLabs found that over three million of the audited users in the U.S. and more than 10 million users worldwide were infected with active identity theft-based malware last year.
According to one recent study published by an independent research firm, the mean cost per ID Theft incident in the U.S. is $496.00, putting the total estimated risk of ID theft from malware in this country alone at approximately $1.5 billion.
FL 3rd in the US in per capita rate of identity theft complaints . . .
Florida ranks third in the U.S. among the states in per capita rate of identity theft complaints and ninth in total overall complaints. This comes as no surprise as Florida has a high population of senior citizens who are often targets of fraud.
However, it was notable that e-mail is now by far the preferred method of initial contact for those who are attempting to defraud someone. The fraud complaints revealed that the victims were initially contacted by email 52% of the time and by phone only 7% of the time.