• A hacking incident at Utah Department of Health which affected 780,000 individuals including Medicaid clients, Children’s Health Insurance Plan recipients, etc.
• The Emory Healthcare breach incident which involved 10 missing computer disks, affecting 315,000 surgical patients
• A breach incident involving an ex-employee at South Carolina Department of Health and Human Services, where the employee is said to have transferred confidential patient information to his personal email account. This breach has affected 228,000 Medicaid recipients.

Breach incidents are added to the ‘Wall of Shame’ by the Department of Health and Human Services’ Office of Civil Rights following an investigation of the breach incidents to confirm the details. This list tracks the breaches which have affected 500 or more individuals since late September 2009 when the breach notification rule mandated by the HITECH Act came into effect.

It has been noted that nearly 55 percent of all major breaches reported since September 2009 have involved lost or stolen unencrypted electronic devices or media, and 7 percent involve hacking attacks. Although hacking attacks have been relatively rare in comparison to stolen or lost unencrypted devices, they are becoming more common and are therefore a growing cause for concern. The breach at Utah Department of Health is by far the largest of 30 hacking incidents on the list of major breaches.

Rebecca Herold of Rebecca Herold & Associates is of the opinion that this is an eye-opener to all business leaders and organizations that there are hackers who keep an eye on systems that they view as prime targets that can yield huge goldmines of data. It is therefore important to find ways to prevent hacker attacks by identifying and closing loopholes, which may have enabled the hacking incident. For instance, the Utah incident was possible because there was a shortcoming in protecting the state server. There was a configuration error at the authentication level, which allowed the hacker to circumvent the security system. Since such mistakes are not unlikely in the healthcare industry, it is important to consider technical means to monitor health information and to ensure that security controls are uniformly applied and maintained throughout the entity.

One such technical means to monitor and protect health information is to adopt a comprehensive security and compliance solution like SecureGRC which provides complete security to the data in an organization. It monitors the movement of information and controls access at all levels. With periodic risk assessments and capabilities for data encryption, SecureGRC offers everything that an organization needs to stay secure and compliant, and steer clear of breaches of any nature.

The post Health Information Breach Tally Soon to Cross 20 Million appeared first on Aegify.

This list of breaches tracks those breach incidents which have affected 500 or more individuals. By mid-January this year, the breach tally crossed 19 million, and the number seems to be steadily increasing: Since January 20th 2012, 24 breaches affecting a total of 143,000 individuals have been added to the list, out of which four incidents have taken place in 2012 affecting about 29,000 individuals. A noteworthy fact is that nearly 55% of all the major breaches reported till date have involved loss or theft of unencrypted storage devices or media, and 21% involved business associates.

This tally, which is being updated on a continuous basis, reveals that the number of individuals affected by healthcare information breaches has doubled since 2010, although the actual breach incidents were fewer: In 2010, about 5.4 million people were affected by a total of 212 breaches. But in 2011, more than 10.8 million individuals were affected by 145 breaches.

Some of the major breaches which contributed to the rise in the number of affected individuals in 2011 include:

• The TICARE breach which affected 4.9 million individuals
• HealthNet breach affecting 1 million individuals
• Nemours Foundation which affected more than 1 million individuals
• Sutter Health breach affecting a little less than 1 million individuals
• Eisenhower Medical Center breach affecting 514,000 individuals

These breaches account for more than 85% of individuals affected by healthcare information breaches in 2011.

Dan Berger, CEO of Redspin, a security assessment company, is of the opinion that inadequate or complete lack of HIPAA security risk analyses was the main cause for most of these breaches. He says that comprehensive security risk assessments would have identified pitfalls in the system and enabled organizations to determine whether sufficient controls were in place. The Director of the HHS Office for Civil Rights, Leon Rodriguez is also of the same opinion. According to him there are several fundamental issues like lack of policies and procedures, inadequate safeguards for data, and lack of evidence for risk analysis.

Time and again, breach incidents have been sending out a strong warning message: Data security is a matter of serious concern.Safeguarding data is not possible without a comprehensive solution that helps you measure the extent of information security in your organization and the vulnerabilities you are exposed to through automated info security and compliance process. eGestalt’s SecureGRC comes with this capability. It provides end-to-end support for all your data protection needs, ensures that risk assessment is performed at regular intervals, and prevents any kind of breach from occurring.

The post Breach Tally Continues to Grow- More Individuals Affected appeared first on Aegify.