Wednesday, March 28, 2012

Howard University Hospital security breach affects 34K patients

WASHINGTON (AP) - Howard University Hospital says a former contractor's personal laptop containing patient information was stolen in January.

The hospital sent letters this week to more than 34,000 patients affected by the breach.
The records held personal information, including Social Security numbers.

The hospital said in a statement that the laptop was password protected and that there is no evidence that the patients' files have been violated.

It said the former contractor downloaded the files to a personal laptop in violation of hospital policy and federal health care rules.
http://www.wjla.com/articles/2012/03/howard-university-hospital-security-breach-affects-34k-patients-74302.html
 
NOTE: Has your organization reviewed your agreements, training, etc. with contractor's who have access to information?  Remember the covered entity (hospital) must notify it's patients that their information may have been breached.  Notice in this article the name of the contractor was NOT mentioned. Encryption is the key, you can get to a laptops data even if it is password protected.  Non-encrypted PHI that is compromised requires reporting to the individual, the press and HHS.  Research encryption today and also review you agreements and processes with contractors/business associates.  Do you know where your data is and do you trust your business associates to protect that data?

1 comment:

Lorraine Emerick said...

Cyber criminals are becoming more sophisticated as technology connects our lives as never before in history. From our smart phones and laptops to complex infrastructure systems, cyber criminals have more platforms and opportunities to strike.

It's a whole new legal environment (HITECH ACT) and businesses wrongly believe their General Liability insurance policy covers them for all Cyber related risks. General Liability, Property, and Professional Liability policies don't address many critical information security exposures, statutory notification and credit monitoring costs, regulatory fines and penalties and class action lawsuits associated with privacy breaches.
http://www.marshallsterling.com/leeds-cybercenter