Social networking is infiltrating healthcare with platforms for patients to share intimate details of their diagnoses, medications, physical conditions, locations, and other personal data -- and not necessarily anonymously.
Members of emerging sites, such as PatientsLikeMe, DailyStrength, and HealthyPlace, for example, can post profiles similar to those on Facebook, and many users are posting their photos, hometowns, and personal health information that could ultimately be abused. And like mainstream social networks Facebook and LinkedIn, these online patient communities are attractive targets for identity thieves, spammers, and other bad guys trolling for valuable information, security experts say. They also could be used for targeted attacks, employers, or other people to gather private information about the patient that could be used against him or her.
Ironically, the emergence of these sites comes amid growing concerns over patient privacy and security of their data in the move to electronic medical records. Indeed, medical identity theft is on the rise: A recent Ponemon Institute study found 1.5 million Americans have been a victim of medical identity theft, to the tune of $28.6 billion, or about $20,000 per victim.
http://www.darkreading.com/authentication/167901072/security/privacy/227500908/index.html
Tuesday, September 28, 2010
Monday, September 27, 2010
Personal data from 'thousands' of NY hospital patients on Internet
New York-Presbyterian Hospital/Columbia University Medical Center said Monday afternoon that personal information, including at least 10 Social Security numbers, were "inadvertently" made publicly accessible on the Internet.
Hospital officials said in a statement that information from 6,800 patients was accidentally posted on a server, according to reports from Fox News and The New York Times. The hospital has since removed the information, the media reports said.
http://www.dotmed.com/news/story/14349/
Hospital officials said in a statement that information from 6,800 patients was accidentally posted on a server, according to reports from Fox News and The New York Times. The hospital has since removed the information, the media reports said.
http://www.dotmed.com/news/story/14349/
HIPAA Prosecution **********
http://www.justice.gov/usao/paw/pr/2010_september/2010_09_15_01.html
PITTSBURGH, SEPTEMBER 15, 2010 ‑ In the first HIPAA prosecution in the Western District of Pennsylvania, United States Attorney David J. Hickton announced today that a resident of Monroeville, Pa., has been indicted by a federal grand jury in Pittsburgh on charges of multiple illegal disclosures and use of patient individually identifiable health information for personal gain. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) law passed by Congress provides for national standards for electronic health care transactions, and protects patients from the unauthorized disclosure of personal medical information without their consent.
The 14‑count indictment named Paul C. Pepala, 34, as the sole defendant.
According to the indictment, in February 2008, Pepala, then employed at UPMC Shadyside Hospital, disclosed to others names, birth dates and Social Security numbers of patients for personal gain, in violation of federal HIPAA laws, and disclosed Social Security numbers to other persons without their authorization. This information was used to file false tax returns in 2008. Pepala was also charged with violating the Social Security Act by disclosing Social Security numbers in violation of federal law.
The law provides for a maximum total sentence of 80 years in prison, a fine of $4,730,000, or both. Under the Federal Sentencing Guidelines, the actual sentence imposed would be based upon the seriousness of the offenses and the prior criminal history, if any, of the defendant.
MIAOULIS NOTE: This should be a warning to all employees. Organizations may want to educate their employees on the possible penalties.
PITTSBURGH, SEPTEMBER 15, 2010 ‑ In the first HIPAA prosecution in the Western District of Pennsylvania, United States Attorney David J. Hickton announced today that a resident of Monroeville, Pa., has been indicted by a federal grand jury in Pittsburgh on charges of multiple illegal disclosures and use of patient individually identifiable health information for personal gain. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) law passed by Congress provides for national standards for electronic health care transactions, and protects patients from the unauthorized disclosure of personal medical information without their consent.
The 14‑count indictment named Paul C. Pepala, 34, as the sole defendant.
According to the indictment, in February 2008, Pepala, then employed at UPMC Shadyside Hospital, disclosed to others names, birth dates and Social Security numbers of patients for personal gain, in violation of federal HIPAA laws, and disclosed Social Security numbers to other persons without their authorization. This information was used to file false tax returns in 2008. Pepala was also charged with violating the Social Security Act by disclosing Social Security numbers in violation of federal law.
The law provides for a maximum total sentence of 80 years in prison, a fine of $4,730,000, or both. Under the Federal Sentencing Guidelines, the actual sentence imposed would be based upon the seriousness of the offenses and the prior criminal history, if any, of the defendant.
MIAOULIS NOTE: This should be a warning to all employees. Organizations may want to educate their employees on the possible penalties.
Saint Barnabas Health Care System - BA / KPMG
An accounting firm used by the Saint Barnabas Health Care System and its affiliated hospitals in New Jersey has reportedly lost an unencrypted flash drive that may have contained some patients’ names as well as information about their health care.
In a notice on their web site, the hospital states that the flash drive lost by the KPMG LLP employee on or about May 10 did not contain patient addresses, social security numbers, personal identification numbers, date of birth, financial information or other identifiable information. The hospital said that it received a written report on the loss on June 29, but does not indicate when they first learned of the loss.
The Saint Barnabas Health Care System announced that it is sending letters to patients whose information may have been included on the flash drive and for whom they have addresses.
HHS was notified of the breach on September 10, more than 60 days after St. Barnabas was notified by KPMG, and four months after the loss itself. In their notification to HHS, the system indicated that 3,630 patients had PHI on the lost device.
Newark Beth Israel Medical Center, which is part of the St. Barnabas system, also notified HHS of this incident. Their report indicated that 956 patients were involved.
http://www.phiprivacy.net/?p=3691
MIAOULIS NOTE: The business associate had the breach (KPMG), yet as required by HITECH it is the Hospital that notified the patients.
In a notice on their web site, the hospital states that the flash drive lost by the KPMG LLP employee on or about May 10 did not contain patient addresses, social security numbers, personal identification numbers, date of birth, financial information or other identifiable information. The hospital said that it received a written report on the loss on June 29, but does not indicate when they first learned of the loss.
The Saint Barnabas Health Care System announced that it is sending letters to patients whose information may have been included on the flash drive and for whom they have addresses.
HHS was notified of the breach on September 10, more than 60 days after St. Barnabas was notified by KPMG, and four months after the loss itself. In their notification to HHS, the system indicated that 3,630 patients had PHI on the lost device.
Newark Beth Israel Medical Center, which is part of the St. Barnabas system, also notified HHS of this incident. Their report indicated that 956 patients were involved.
http://www.phiprivacy.net/?p=3691
MIAOULIS NOTE: The business associate had the breach (KPMG), yet as required by HITECH it is the Hospital that notified the patients.
Saturday, September 25, 2010
Patient information found on interstate
In the latest patient privacy breach, a woman who noticed lots of paper all over the road while driving on I-30 in Arkansas later discovered two pieces of paper wedged in the grill of her car, Today's THV reports. The pages, which contained patient information, were some 75 miles away from the hospital where they were generated.
"We just thought that somebody had lost a load," Hunsinger said.
The papers included the names of two patients, addresses, the reason for their visits to 170-bed Saint Mary's Regional Medical Center in Russellville, Ark., and their social security numbers.
The revelation is intriguing, because St. Mary's document disposal process involves shredding on-site.
http://www.fiercehealthcare.com/story/patient-information-found-interstate/2010-09-23
"We just thought that somebody had lost a load," Hunsinger said.
The papers included the names of two patients, addresses, the reason for their visits to 170-bed Saint Mary's Regional Medical Center in Russellville, Ark., and their social security numbers.
The revelation is intriguing, because St. Mary's document disposal process involves shredding on-site.
http://www.fiercehealthcare.com/story/patient-information-found-interstate/2010-09-23
Saturday, September 18, 2010
Janitor steals patient records for recycling money
Prosecutors have charged a Southern California health clinic janitor with stealing boxes of patient records for recycling money.
Los Angeles County chief executive William Fujioka says the stolen printouts of about 30,000 patient names, address and phone numbers from the Martin Luther King Jr. Multi-Service Ambulatory Care Center didn't contain private medical information.
The Los Angeles Times says 55-year-old Robert Sanders was arrested Sept. 10 and he was charged Monday with felony commercial burglary and placed on administrative leave. Jail records show he was released on his own recognizance.
http://articles.sfgate.com/2010-09-17/news/24010545_1_recycling-patient-janitor
Los Angeles County chief executive William Fujioka says the stolen printouts of about 30,000 patient names, address and phone numbers from the Martin Luther King Jr. Multi-Service Ambulatory Care Center didn't contain private medical information.
The Los Angeles Times says 55-year-old Robert Sanders was arrested Sept. 10 and he was charged Monday with felony commercial burglary and placed on administrative leave. Jail records show he was released on his own recognizance.
http://articles.sfgate.com/2010-09-17/news/24010545_1_recycling-patient-janitor
Mayo Clinic fires employee for accessing patient records
ROCHESTER, Minn. - The Mayo Clinic has fired an employee for snooping through patients' medical and financial records.
Mayo Clinic spokesman Chris Gade said the employee accessed about 1,700 patient records at all Mayo sites between 2006 and mid-July. The employee once worked in Rochester, but recently was working in the clinic's financial unit in Arizona. Gade says the worker accessed information that was beyond the scope of the job.
It's the second high-profile firing in the past month at Mayo. In August, the clinic turned a radiologic technologist over to the Jacksonville County Sheriff's Department.
http://www.myfoxtwincities.com/dpp/news/mayo-clinic-workers-fired-snooping-sept-10-2010
Mayo Clinic spokesman Chris Gade said the employee accessed about 1,700 patient records at all Mayo sites between 2006 and mid-July. The employee once worked in Rochester, but recently was working in the clinic's financial unit in Arizona. Gade says the worker accessed information that was beyond the scope of the job.
It's the second high-profile firing in the past month at Mayo. In August, the clinic turned a radiologic technologist over to the Jacksonville County Sheriff's Department.
http://www.myfoxtwincities.com/dpp/news/mayo-clinic-workers-fired-snooping-sept-10-2010
Subscribe to:
Posts (Atom)