Recent data breaches affecting Florida's Palm Beach County Health Department, Wisconsin's Oneida Health Center, and Arkansas' Pain Treatment Centers of America (PTCOA) and Interventional Surgery Institute (ISI) have exposed more than 23,000 patients' personal information.
According to PTCOA and ISI, the personal data of 19,397 of their patients was exposed when data servers belonging to third-party vendor Bizmatics were hacked. Bizmatics owns and operates the electronic health record and practice management tool PrognoCIS, which is used by PTCOA and ISI, among others (h/t FierceHealthIT).
Because PrognoCIS stores and organizes patient files, the hacker may have accessed patient names, addresses, health insurance information, health visit information, driver's license numbers and, in some cases, Social Security numbers.
"Bizmatics has consulted with law enforcement and has hired an independent cyber forensics firm to investigate and assure the intrusion is contained and the affected systems are better secured," PTCOA and ISI CEO Bill McCrary wrote in the notification letter [PDF]. "We have learned that Bizmatics became aware of the incident in late 2015, but neither Bizmatics, law enforcement, nor the cyber forensics firm is able to pinpoint the precise date on which the attack began."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
All those affected are being offered a free one-year membership in Experian's ProtectMyID Alert service.
The Oneida Health Center in Wisconsin recently announced that on February 17, 2016, a flash drive containing patient information was stolen from its dental offices. The drive held 2,734 patients' names, dental patient identification numbers, dates of visits, and dental insurance identification numbers (h/t HealthITSecurity).
Although the theft was discovered the same day and police were immediately notified, the drive has not been recovered.
"To prevent a reoccurrence of this type of isolated internal incident, we are implementing the following measures: reviewing and implementing administrative procedures regarding the use of flash drives and implementing appropriate technological safeguards concerning their security and storage," the center said in a statement.
And the Florida Department of Health recently announced that federal law enforcement officials had obtained a list of 1,076 Palm Beach County Health Department patients' names, birthdates, Social Security numbers, Medicaid numbers, phone numbers and medical record numbers (h/t Modern Healthcare).
"The feds obtained this list," department spokesman Tim O'Connor told Modern Healthcare. "We don't know how."
"The Department of Health takes its role of safeguarding client's personal information very seriously. and is keenly aware of how important this information is to everyone and is fully committed to safeguarding all confidential information," the department said in a statement. "The department trains staff on the importance of safeguarding protected health information by requiring annual HIPAA and Privacy and Information Security training to all employees."
According to the Healthcare Edition of the 2016 Vormetric Data Threat Report, 96 percent of senior IT security executives at U.S. healthcare organizations feel vulnerable to data threats, and 63 percent have experienced a data breach.
The report, based on responses from 1,100 senior IT security executives at large enterprises, including more than 100 at U.S. healthcare organizations, also found 60 percent of respondents at healthcare organizations are increasing spending to protect sensitive data, and 46 percent are planning to invest in data-at-rest defenses this year.
"With the boom in black market sales of healthcare data, the potential for financial harm to patients’ privacy and security from inadequately protected data is growing fast," Vormetric vice president of marketing Tina Stewart said in a statement.
"For healthcare organizations, they now have to prioritize the safety of patient data and privacy as part of patient care, and realize that meeting compliance requirements is only a start," Stewart added.
A recent eSecurity Planet article offered advice on securing sensitive data in a post-perimeter world.