Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Criminals Have Their Eyes on Your Patients’ Records

Written by:

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!
Art Gross Headshot
It’s one thing to have a laptop stolen with 8,000 patient records or for a disgruntled doctor to grab his patients’ records and start his own practice.  It’s another when the Cosa Nostra steals that information, siphons money from the patient’s bank account and turns it into a patient trafficking crime ring.  Welcome to organized crime in the age of big data.

Organized crime syndicates and gangs targeting medical practices and stealing patient information are on the rise. They’re grabbing patient names, addresses, insurance details, social security numbers, birth dates, etc., and using it to steal patients’ identities and their assets.

It’s not uncommon for the girlfriend of a gang member to infiltrate a medical practice or hospital, gain access to electronic health records, download patient information and hand it over to the offender who uses it to file false tax returns. In fact gang members often rent a hotel room and file the returns together, netting $40,000-$50,000 in one night!

Florida is hotbed for this activity and it’s spreading across the country.  In California, narcotics investigators took down a methamphetamine ring and confiscated patient information on 4,500 patients. Investigators believe the stolen information was being used to obtain prescription drugs to make the illicit drug.

Value of patient records

Stolen patient information comes with a high price tag if the medical practice is fined by HIPAA. One lost or stolen patient record is estimated at $50, compared to the price of a credit card record which fetches a dollar.  Patient records are highly lucrative. The below charts shows the value of patient information that might be sitting in an EHR system:

Amount of Patient Records Value of Patient Records
1,000 $50,000
5,000 $250,000
10,000 $500,000
100,000 $5,000,000

 
Protect your practice

Medical practices need to realize they are vulnerable to patient record theft and should take steps to reduce their risk by implementing additional security.  Here are seven steps that organizations can take to protect electronic patient information:

  1. Perform a security risk assessment – a security risk assessment is not only required for HIPAA Compliance and EHR Meaningful Use but it can identify security risks that may allow criminals to steal patient information.
  2. Screen job applicants – all job applicants should be properly screened prior to hiring and providing access to patient information. Look for criminal records, frequent job switches or anything else that might be a warning sign.
  3. Limit access to patient information – employees should have minimal access necessary to perform their jobs rather than full access to electronic health records.
  4. Audit access to patient information – every employee should use their own user ID and password; login information should not be shared. And access to patient information should be recorded, including who accessed, when, and which records they accessed.
  5. Review audit logs – organizations must keep an eye on audit logs. Criminal activity can be happening during a normal business day. Reviewing audit logs can uncover strange or unexpected activity. Let’s say an employee accesses, on average 10 patient records per day and on one particular day they retrieve 50 to 100 records.  Or records are being accessed after business hours. Both activities could be a sign of criminal activity. The key is to review audit logs regularly and look for unusual access.
  6. Security training – all employees should receive security training on how to protect patient information, and make sure they know any patient information activity is being logged and reviewed.  Knowing that employee actions are being observed should dissuade them from using patient information illegally.
  7. Limit the use of USB drives – in the past it would take a truck to steal 10,000 patient charts. Now they can easily be copied onto a small thumb/USB drive and slipped into a  doctor’s lab coat.  Organizations should limit the use of USB drives to prevent illegal activity.

The high resale value of patient information and the ability to use it to file false tax returns or acquire illegal prescriptions make it a prime target for criminals.  Medical practices need to recognize the risk and put proper IT security measures in place to keep their patient information from “securing” hefty tax refunds

About Art Gross

Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started his second company HIPAA Secure Now! to focus on the unique IT requirements of medical practices.  Email Art at artg@hipaasecurenow.com.

June 26, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Another View of Privacy by Dr. Deborah C. Peel, MD

Written by:

I thought the following TEDx video from Deborah C. Peel, MD, Founder and Chair of Patient Privacy Rights, would be an interesting contrast with some of the things that Andy Oram wrote in yesterday’s post titled “Not So Open: Redefining Goals for Sharing Health Data in Research“. Dr. Peel is incredibly passionate about protecting patient’s privacy and is working hard on that goal.

Dr. Peel is also trying to kick off a hashtag called #MyHealthDataIsMine. What do you think of the “hidden privacy and data breaches” that Dr. Peel talks about in the video? I look forward to hearing your thoughts on it.

June 25, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Not So Open: Redefining Goals for Sharing Health Data in Research

Written by:

The following is a guest blog post by Andy Oram, writer and editor at O’Reilly Media.

One couldn’t come away with more enthusiasm for open data than at this month’s Health Datapalooza, the largest conference focused on using data in health care. The whole 2000-strong conference unfolds from the simple concept that releasing data publicly can lead to wonderful things, like discovering new cancer drugs or intervening with patients before they have to go to the emergency room.

But look more closely at the health care field, and open data is far from the norm. The demonstrated benefits of open data sets in other fields–they permit innovation from any corner and are easy to combine or “mash up” to uncover new relationships–may turn into risks in health care. There may be better ways to share data.

Let’s momentarily leave the heady atmosphere of the Datapalooza and take a subway a few stops downtown to the Health Privacy Summit, where fine points of patient consent, deidentification, and the data map of health information exchange were discussed the following day. Participants here agree that highly sensitive information is traveling far and wide for marketing purposes, and perhaps even for more nefarious uses to uncover patient secrets and discriminate against them.

In addition to outright breaches–which seem to be reported at least once a week now, and can involve thousands of patients in one fell swoop–data is shared in many ways that arguably should be up to patients to decide. It flows from hospitals, doctors, and pharmacies to health information exchanges, researchers in both academia and business, marketers, and others.

Debate has raged for years between those who trust deidentification and those who claim that reidentification is too easy. This is not an arcane technicality–the whole industry of analytics represented at the Datapalooza rests on the result. Those who defend deidentification tend to be researchers in health care and the institutions who use their results. In contrast, many computer scientists outside the health care field cite instances where people have been reidentified, usually by combining data from various public sources.

Latanya Sweeney of Harvard and MIT, who won a privacy award this year at the summit, can be credited both with a historic reidentification of the records of Massachusetts Governor William Weld in 1997 and a more recent exposé of state practices. The first research led to the current HIPAA regime for deidentification, while the second showed that states had not learned the lessons of anonymization. No successful reidentifications have been reported against data sets that use recommended deidentification techniques.

I am somewhat perplexed by the disagreement, but have concluded that it cannot be resolved on technical grounds. Those who look at the current state of reidentification are satisfied that health data can be secured. Those who look toward an unspecified future with improved algorithms find reasons to worry. In a summit lunchtime keynote, Adam Tanner reported his own efforts as a non-expert to identify people online–a fascinating and sometimes amusing tale he has written up in a new book, What Stays in Vegas. So deidentification is like encryption–we all use encryption even though we expect that future computers will be able to break current techniques.

But another approach has flown up from the ashes of the “privacy is dead” nay-sayers: regulating the use of data instead of its collection and dissemination. This has been around for years, most recently in a federal PCAST report on big data privacy. One of the authors of that report, Craig Mundie of Microsoft, also published an article with that argument in the March/April issue of Foreign Affairs.

A simple application of this doctrine in health care is the Genetic Information Nondiscrimination Act of 2008. A more nuanced interpretation of the doctrine could let each individual determine who gets to use his or her data, and for what purpose.

Several proposals have been aired to make it easier for patients to grant blanket permission for certain data uses, one proposal being “patient privacy bundles” in a recent report commissioned by AHRQ. Many people look forward to economies of data, where patients can make money by selling data (how much is my blood pressure reading worth to you)?

Medyear treats personal health data like Twitter feeds, letting you control the dissemination of individual data fields through hash tags. You could choose to share certain data with your family, some with your professional care team, and some with members of your patient advocacy network. This offers an alternative to using services such as PatientsLikeMe, which use participants’ data behind the scenes.

Open data can be simulated by semi-open data sets that researchers can use under license, as with the Genetic Association Information Network that controls the Database of Genotypes and Phenotypes (dbGaP). Many CMS data sets are actually not totally open, but require a license to use.

And many data owners create relationships with third-party developers that allow them access to data. Thus, the More Disruption Please program run by athenahealth allows third-party developers to write apps accessing patient data through an API, once the developers sign a nondisclosure agreement and a Code of Conduct promising to use the data for legitimate purposes and respect privacy. These apps can then be offered to athenahealth’s clinician clients to extend the system’s capabilities.

Some speakers went even farther at the Datapalooza, asking whether raw data needs to be shared at all. Adriana Lukas of London Quantified Self and Stephen Friend of Sage Bionetworks suggested that patients hold on to all their data and share just “meanings” or “methods” they’ve found useful. The future of health analytics, it seems to me, will use relatively few open data sets, and lots of data obtained through patient consent or under license.

June 24, 2014 I Written By

HIPAA Security and Audits with Mac McMillan

Written by:

In case you missed the recent HIPAA Privacy and Security hangout I did with Mac McMillan, CEO of Cynergistek, you’re missing out. I think this HIPAA interview is an extension of what we started in our post “6 Reality Checks of HIPAA Compliance.” There’s a real awakening that’s needed when it comes to HIPAA. I love in this hangout when Mac says that the patience in Washington for those that aren’t HIPAA compliant is running low. An example of that is another topic we discus: HIPAA audits. The first round of HIPAA audits were more of a barometer of what was happening. The next round we’ll likely be much more damaging.

Watch the entire HIPAA interview with Mac McMillan to learn even more:

May 20, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Healthcare Risks, Privacy Risks, and Blowing Up MU

Written by:


All of healthcare has risks. The key is getting a good grasp of all the risks. Are we doing that really well in healthcare IT and EHR?


I repeatedly find that most people are happy to give up some privacy risk for the potential for better health. This increases even more when someone is seriously sick. Privacy becomes even less important to them.


I always love to see tweets from someone I’ve never met or heard of tweeting out my articles. Tim did a good job summarizing my post about blowing up meaningful use. The post has gotten some good traction and a great discussion. I’m sure that they won’t take my exact approach, but I hope that it will help push ONC to move MU in a direction of extreme simplification.

May 18, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Where Are the Big Business Associate HIPAA Breaches?

Written by:

It seems like I have HIPAA and security on my mind lately. It started with me writing about the 6 HIPAA Compliance Reality Checks whitepaper and then carried over with my piece looking at whether cloud adoption addresses security and privacy concerns. In the later post, there’s been a really rich discussion around the ability of an enterprise organization to be able to secure their systems better than most healthcare organizations.

As part of that discussion I started thinking about the HHS HIPAA Wall of Shame. Off hand, I couldn’t think of any incidents where a business associate (ie. a healthcare cloud provider) was ever posted on the wall or any reports of major HIPAA breaches by a large business associate. Do you know of some that I’ve just missed?

When I looked at the HIPAA Wall of Shame, there wasn’t even a covered entity type for business associates. I guess they’re not technically a covered entity even though they act like one now thanks to HIPAA Omnibus. Maybe that’s why we haven’t heard of any and we don’t see any listed? However, there is a filter on the HIPAA Breach disclosure page that says “Business Associate Present?” If you use that filter, 277 of the breaches had a “business associate present.” Compare that with the 982 breaches they have posted since they started in late 2009.

I took a minute to dig into some of the other numbers. Since they started in 2009, they’ve reported breaches that affected 31,319,872 lives. My rough estimate for 2013 (which doesn’t include some breaches that occurred over a period of time) is 7.25 million lives affected. So far in 2014 they’ve posted HIPAA breaches with 478,603 lives affected.

Certainly HIPAA omnibus only went into effect late last year. However, I wonder if HHS plans to expand the HIPAA Wall of Shame to include breaches by business associates. You know that they’re already happening or that they’re going to happen. Although, not as often if you believe my previous piece on them being more secure.

As I considered why we don’t know of other HIPAA business associate breaches, I wondered why else we might not have heard more. I think it’s naive to think that none of them have had issues. Statistics alone tells us otherwise. I do wonder if there is just not a culture of following HIPAA guidelines so we don’t hear about them?

Many healthcare business associates don’t do much more than pay lip service to HIPAA. Many don’t realize that under the new HIPAA omnibus they’re going to be held accountable similar to a covered entity. If they don’t know those basic things, then can we expect them to disclose when there’s been a HIPAA breach? In healthcare organizations they now have that culture of disclosure. I’m not sure the same can be said for business associates.

Then again, maybe I’m wrong and business associates are just so much better at HIPAA compliance, security and privacy, that there haven’t been any major breaches to disclose. If that’s the case, it won’t last forever.

April 29, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Why HIPAA isn’t Enough to Keep Patient Data Secure

Written by:

The following is a guest blog post by Takeshi Suganuma, Senior Director of Security at Proficio.
Takeshi Suganuma
Just meeting minimum HIPAA safeguards is not enough to keep patient data secure. This should come as no surprise when you consider that HIPAA was developed as a general framework to protect PHI for organizations ranging from small medical practices to very large healthcare providers and payers. After all, one size seldom fits all.

While HIPAA is a general, prescriptive framework for security controls and procedures, HIPAA disclosure rules and penalties are very specific and have increased impact as a result of the Omnibus Final Rule enacted last year. The CIOs and CSOs we talk to are not willing to risk their organization’s reputation by just implementing the minimum HIPAA safeguards.

The collection, analysis, and monitoring of security events is a prime example of where medium to large-sized organizations must do much more than just record and examine activity as prescribed by HIPAA.

The challenge to effectively monitor and prioritize security alerts is exacerbated by the changing security threat landscape. Unlike the visible incursions of the past, new attacks employ slow and low strategies. Attackers are often able to sys­tematically pinpoint security weaknesses and then cover all traces of their presence as they move on to penetrate the other critical IT assets.

Hackers are using multiple attack vectors including exploiting vulnerabilities in medical devices and printers. Networked medical devices represent a significant security challenge for hospitals, because their IT teams cannot upgrade the underlying operating system embedded into these devices. Many medical devices using older versions of Windows and Linux have known security vulnerabilities and are at risk of malware contamination.

Insider threats comprise a significant risk for healthcare organizations. Examples of insider threats include employees who inappropriately access the medical records, consultants who unintentionally breach an organization’s confidentiality, and disgruntled employees seeking to harm their employer. Insider activity can be much more difficult to pinpoint than conventional external activity as insiders have more privileges than an external attacker. Security event monitoring and advanced correlation techniques are needed to identify such suspicious behavior. For example, a single event, such as inappropriate access of a VIP’s medical records, might go unnoticed, but when the same person is monitored saving files to a USB drive or exhibiting unusual email activity, these correlated events should trigger a high priority alert.

The volume of security alerts generated in even a mid-size hospital is staggering – tens of millions a day. Without a tool to centrally collect and correlate security events, it is extremely difficult to detect and prioritize threats that could lead to a PHI data breach. Log management and SIEM systems are part of the solution, but these are complex to administer and require regular tweaking to reflect new security and compliance use cases.

Technology alone is just a starting point. Unfortunately, hackers don’t restrict their activities to local business hours and nor should the teams responsible for the security of their organization. Effective security event monitoring requires technology, process, and people. Many healthcare organizations that lack in-house IT security resources are turning to Managed Security Service Providers (MSSPs) who provide around-the-clock Security Operation Center (SOC) services.

The challenge for today’s security teams, whether internal or outsourced, is to accurately prioritize alerts and provide actionable intelligence that allows a fast and effective response to critical issues. Tomorrow’s goal is to move beyond reporting incidents to anticipating the types of suspicious behaviors and patterns of multi-stage attacks that could lead to data being compromised. Multi-vector event correlation, asset modeling, user profiling, threat intelligence and predictive analytics are among the techniques used to achieve preventive threat detection. The end game is a preemptive defense where real-time analysis of events triggers an automated response to prevent an attack.

The increasing cost of litigation and the loss of reputation that result from an impermissible disclosure of PHI are driving healthcare organizations to build robust security controls and monitor and correlate real-time security events. HIPAA guidelines are a great start, but not enough if CIOs want to sleep easily at night.

March 21, 2014 I Written By

Good Decisions, EMR Sales, and Patient Data Availability

Written by:


This is true if the actors are well intentioned. I’ve found that most in healthcare have the right intentions. Although, many don’t have the right data that could help them make better decisions.


I’m going to have to chew on the idea of EMR sales being non-linear. An interesting observation by Chandresh. I’m excited to hear Chandresh share more of his experience with EMR sales at the Health IT Marketing and PR conference.


I’m not sure if this was the exact intent of this tweet, but it reminded me of a discussion I had with some really chronic patients. To a person (and the parents since these were kids), they couldn’t give a rip about privacy. They were more than happy to give up any and all privacy if it would help them find a cure or treatment for their child. This reminds me that context is really important when it comes to privacy.

March 9, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

In 2014, Health IT Priorities are Changing

Written by:

The following is a guest blog post by Cliff McClintick, chief operating officer of Doc Halo. Cincinnati-based Doc Halo sets the professional standard for health care communication offering secure messaging for physicians, medical practices, hospitals and healthcare organizations. The Doc Halo secure texting solution is designed to streamline HIPAA-compliant physician and medical clinician sharing of critical patient information within a secure environment.

2014 is a major year for health care, and for more reasons than one.

Of course, some of the most significant reforms of the Affordable Care Act take effect this year, affecting the lives of both patients and providers.

But it’s also a year in which health care institutions will come to grips with IT issues they might have been putting off. Now that many organizations have completed the electronic health record implementations that were consuming their attention and resources, they’re ready to tackle other priorities.

Expect to see issues related to communications, security and the flow of patient information play big in coming months. At Doc Halo, we’re already seeing high interest in these areas.

Here are my predictions for the top health IT trends of 2014:

  • Patient portal adoption. Web-based portals let patients access their health data, such as discharge summaries and lab results, and often allow for communication with the care team. Federal requirements around Meaningful Use Stage 2 are behind this trend, but the opportunity to empower patients is the exciting part. The market for portals will likely approach $900 million by 2017, up from $280 million in 2012, research firm Frost & Sullivan has predicted.
  • Secure text messaging. Doctors often tell us that they send patient information to their colleagues by text message. Unfortunately, this type of data transmission is not HIPAA-compliant, and it can bring large fines. Demand for secure texting solutions will be high in 2014 as health care providers seek communication methods that are quick, convenient and HIPAA-compliant. Doc Halo provides encrypted, HIPAA-compliant secure text messaging that works on iPhone, Android and your desktop computer.
  • Telehealth growth. The use of technology to support long-distance care will increasingly help to compensate for physician shortages in rural and remote areas. The world telehealth market, estimated at just more than $14 billion in 2012, is likely to see 18.5 percent annual growth through 2018, according to research and consultancy firm RNCOS. Technological advances, growing prevalence of chronic diseases and the need to control health care costs are the main drivers.
  • A move to the cloud. The need to share large amounts of data quickly across numerous locations will push more organizations to the cloud. Frost & Sullivan listed growth of cloud computing, used as an enabler of enterprise-wide health care informatics, as one of its top predictions for health care in 2014. The trend could result in more efficient operations and lower costs.
  • Data breaches. Health care is the industry most apt to suffer costly and embarrassing data breaches in 2014. The sector is at risk because of its size — and it’s growing even larger with the influx of patients under the Affordable Care Act — and the introduction of new federal data breach and privacy requirements, according to Experian. This is one prediction that we can all hope doesn’t come true.

To succeed in 2014, health care providers and administrators will need to skillfully evaluate changing conditions, spot opportunities and manage risks. Effective health IT frameworks will include secure communication solutions that suit the way physicians and other clinicians interact today.

Doc Halo, a leading secure physician communication application, is a proud sponsor of the Healthcare Scene Blog Network.

January 30, 2014 I Written By

The Wackiest HIPAA Data Breaches of 2013

Written by:

The following is a guest post by David Vogel, blogger for Layered Tech.
David Vogel
2013 was a historic year for HIPAA violations, with more than 5.7 million patients affected and the second-largest breach ever reported in the U.S. Department of Health & Human Services online database.

The year also featured some of the strangest violations ever seen, including some incredible security whiffs, business associate failures, and criminal shenanigans. Let’s dive into the top five “funny if they weren’t true” data breaches of the past year:

News Crew Goes Dumpster Diving for Patient Records
When an Indianapolis parishioner stumbled across medical records in recycling dumpster on church property, an investigative reporter from the local NBC affiliate jumped in, literally. What the reporter found were thousands of patient records containing medical history, Social Security numbers, credit card info and other data.

Upon investigation, the dumped records were tied back to the Comfort Dental offices in Marion and Kokomo Indiana, which closed after the dentist who ran the offices lost his medical license due to fraudulent billing.

You can’t make this sort of thing up.

To add further intrigue, before calling in the Feds, the news crew loaded up the boxes of records and stored them at the studio. According to the reporter, their past experiences with finding private health information taught them the “way to best protect this info and to get action is to do exactly what we did.”

The files have since been handed over to officials, who have determined that 5,388 people were affected.

Indiana news reporter Bob Segall investigates patient records dumped in church recycling bin. Courtesy: WTHR-TV

Indiana news reporter Bob Segall investigates patient records dumped in church recycling bin. Courtesy: WTHR-TV

Miniaturized Medical Data Float Around Fort Worth
In May of 2013, Fort Worth residents found sheets of microfiche from the ’80s and ’90s in a park and other public areas in Fort Worth. The sheets, which contained miniaturized medical records from Texas Health Fort Worth, had been destined for destruction, but apparently lost by the business associate (BA) contracted to shred them.

The bad news for the 277,014 patients potentially affected? The microfiche sheets likely contained Social Security numbers among the medical records. The slight glimmer of hope? Microfiche format and readers have become very rare, lessening the chance of the records being recognized and misused.

Example microfiche sheet via Wikimedia

Example microfiche sheet via Wikimedia


X-Rays Worth Their Weight in Silver
When Raleigh Orthopaedic Clinic hired a contractor to transfer x-ray films to digital images, they ended up on the wrong side of a nefarious scam. In March, the clinic discovered that their contractor instead sold the films to a recycling company to be scrapped for their silver, leaving the clinic with no digital version of the x-rays, no validation of their destruction, and the 6th-largest HIPAA breach of 2013 (17,300 patients affected).

No Privacy for Kim Kardashian and Baby North West
When celebrities Kim Kardashian and Kanye West checked into L.A.’s Cedars-Sinai Medical Center for the birth of their child, it wasn’t just paparazzi looking for the inside scoop. Six staffers were fired from the hospital in the days following the birth of baby North West for having “inappropriately accessed” patient data. The resulting investigation found that five of the suspects snooped on the patient records using the log-ins of the physicians for whom they worked, which also violated hospital policy. The other suspect had access to the patient database for billing purposes.

Image via Wikimedia

Image via Wikimedia

Felon Gets Hospital Job, Steals Records for Tax Scam
A failed attempt to cash a fraudulent check led to the discovery of one of the most disturbing HIPAA breaches of 2013. The story starts when Oliver Gayle, a Miami man with past felony convictions for racketeering and grand theft, got a temp job at the Mount Sinai Medical Center in Miami Beach using an inaccurate background check. Gayle then began accessing and printing hundreds of patient records and transactional information from the Hospital’s account database. The stolen records went unnoticed until a bank notified police about an attempt to cash a bad check, and gave a description of the car Gayle was driving.

What happened next was like a story out of America’s Dumbest Criminals.

When Gayle was pulled over, Police found that he had more than 15 suspensions to his driver’s license, and prepped to have the car towed. However, Gayle first requested that officers bring along an open bag from the car. Inside the bag, officers found a treasure trove of patient and financial information, including more than a hundred Mount Sinai records, copies of U.S. Treasury checks, Social Security numbers, fraudulent tax returns and a counterfeit U.S. Visa.

Gayle has since been convicted for his identity theft tax refund scheme, and faces prison time for several decades’ worth of fraud and identity theft charges. In the meantime, Mount Sinai may face penalties for the HIPAA violations, which affected 628 people.

About the Author: David Vogel is a blogger for Layered Tech, a leading provider of HIPAA-compliant hosting and private cloud. Connect with David on Twitter (@DavidVogelDotCo) and Google+ (+David Vogel).

January 16, 2014 I Written By