Lost or stolen Harris County Hospital District flash drive
Technorati Tag: Security Breach
Date Reported:
8/7/08
UPDATED 8/12/08, See Reference URL
Organization:
Harris County (TX)
Contractor/Consultant/Branch:
Harris County Hospital District ("HCHD")
Victims:
Patients
Number Affected:
"About 1,200"
Types of Data:
"ranging from names, birth dates and Social Security numbers to medical diagnoses and treatments"
Breach Description:
"A low-level Harris County Hospital District administrator probably violated federal law when she downloaded medical and financial records for 1,200 patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen"
Reference URL:
Houston Chronicle (Original)
Houston Chronicle (Follow-up)
Houston Chronicle (8/12/08 Update, "Worker who lost data no longer on job")
Report Credit:
Liz Austin Peterson, Houston Chronicle
Response:
From the online sources cited above:
A low-level Harris County Hospital District administrator probably violated federal law when she downloaded medical and financial records for 1,200 patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen, legal experts said Thursday.
[Evan] I don't quite understand the importance of "low-level". Low-level, mid-level, executive, and every other person in an organization is responsible for the protection of sensitive information. The question is whether or not the person largely responsible for this breach knew that she was significantly increasing the risk of sensitive information disclosure. If not, then there are probably some significant deficiencies in the HCHD information security program.
District officials have refused to release any information about the employee who saved the information to the now-missing device.
a memo from the district's chief financial officer obtained by the Houston Chronicle identifies the employee as an associate administrator.
The hospital district has released little information about the situation.
[Evan] For fear of?
On Wednesday, spokesman Bryan McLeod issued a brief statement to the Chronicle saying patients affected by the breach would receive a letter in the mail and would be allowed to enroll in a credit protection program at the district's expense.
[Evan] Credit protection does not make the information secret again, and does not protect someone from being denied insurance because of a pre-existing condition. I am more concerned about the medical information than I am about Social Security numbers. It can be very damaging to a person when it is disclosed that they have HIV, AIDS or some other terrible disease.
The district has strengthened its policies and procedures regarding the use of transportable media devices, the statement said.
[Evan] How? People deserve to know how their information will be protected. Judging from this statement, what are we to assume were the policies and procedures before this breach occurred? Will people follow policies and procedures if they are not trained and aware?
Harris County Judge Ed Emmett, who was briefed on the problem Thursday morning, described the situation as "the worst possible thing" imaginable.
The data stored on the drive was not password-protected or encrypted and included "total files" ranging from names, birth dates and Social Security numbers to medical diagnoses and treatments
"It was just a major screw-up by an employee," Emmett said, adding that the worker reported the loss to superiors.
[Evan] I have to question whether this was a "major screw-up by an employee" or a poorly managed information security and risk management program, or a combination. I don't have any details, so I am left to speculate.
"I think everybody's hope is that the flash drive fell in a trash can and is in a landfill somewhere now," he said.
McLeod later issued a second brief statement saying the data on the device included the patients' names, medical record numbers, billing codes, the facilities where the office visits occurred and other billing information.
It also included the patients' Medicaid or Medicare numbers, which can indicate their Social Security numbers or those of their spouses.
According to McLeod's Wednesday statement, the employee transferred the information to the portable storage device to complete a project at home.
[Evan] Using a flash drive to complete a project at home is fine if the information is not sensitive. If an organization wants/expects employees to work from home, the organization should provide a secure means of doing so. Wasn't this one of the primary factors behind the development and deployment of VPN technologies? VPNs have been around for a while now (I think I installed my first one back in 1997).
Asked for details about the project on Thursday, McLeod would only say it was "being used to review data as part of HCHD's ongoing compliance and monitoring process."
[Evan] Ironic.
The July 31 memo obtained by the Chronicle was sent by Ferdinand Gaenzel to employees at the district's administrative office near Reliant Stadium. In it, he said three "memory sticks" belonging to the associate administrator were missing and were last seen on her desk.
The information on one of them was "very important to the district and needs to be found as soon as possible," he added.
"However you choose to return them, we will keep your name confidential, unless you want to celebrate finding them, which I am willing to do," he said.
[Evan] This reads desperate.
Emmett said the employee responsible had not been fired because hospital district officials fear it would dissuade other workers from admitting similar mistakes.
[Evan] It would also make it difficult to fire her if she had no idea that she was violating policy and procedure, or if it had become common practice in lieu of policy and procedure.
But he called on the district to send a strong message that violating security and privacy policies will not be tolerated.
"I think some violations are so severe that you don't have any choice," he said. "Termination just would have to be an option."
General Information from Reference URLs:
The Health Insurance Portability and Accountability Act, or HIPAA, requires health-care providers to safeguard patient records containing individually identifiable health information. The law calls for a $100 fine per violation but sets a $25,000 cap for each calendar year. The most serious violations, such as stealing information to sell it, could result in criminal prosecutions.
The federal Department of Health and Human Services fined Seattle-based Providence Health & Services $100,000 last month for allowing backup tapes, optical disks, and laptops containing unencrypted electronic protected health information to be lost or stolen in 2005 and 2006. The devices contained information about more than 386,000 patients.
Aside from that case, however, the federal government has done relatively little to crack down on HIPAA violations, the law professors said.
[Evan] What good is a law that is not enforced and the people governed by it know that it is not enforced?
"This is an egregious invasion of people's privacy ... but the history of privacy violations in the United States is that there's all kinds of smoke, but very little enforcement of privacy laws," said Dr. William Winslade, who teaches health law at the University of Houston.
Commentary:
Everything I write in my comments is my opinion and ranting. This is a breach that just gives me a general sense of insecurity. Seems like common sense stuff to me.
I would encourage Harris County to arrange for a third-party review of information security and risk management practices.
Past Breaches:
Unknown
Date Reported:8/7/08
UPDATED 8/12/08, See Reference URL
Organization:
Harris County (TX)
Contractor/Consultant/Branch:
Harris County Hospital District ("HCHD")
Victims:
Patients
Number Affected:
"About 1,200"
Types of Data:
"ranging from names, birth dates and Social Security numbers to medical diagnoses and treatments"
Breach Description:
"A low-level Harris County Hospital District administrator probably violated federal law when she downloaded medical and financial records for 1,200 patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen"
Reference URL:
Houston Chronicle (Original)
Houston Chronicle (Follow-up)
Houston Chronicle (8/12/08 Update, "Worker who lost data no longer on job")
Report Credit:
Liz Austin Peterson, Houston Chronicle
Response:
From the online sources cited above:
A low-level Harris County Hospital District administrator probably violated federal law when she downloaded medical and financial records for 1,200 patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen, legal experts said Thursday.
[Evan] I don't quite understand the importance of "low-level". Low-level, mid-level, executive, and every other person in an organization is responsible for the protection of sensitive information. The question is whether or not the person largely responsible for this breach knew that she was significantly increasing the risk of sensitive information disclosure. If not, then there are probably some significant deficiencies in the HCHD information security program.
District officials have refused to release any information about the employee who saved the information to the now-missing device.
a memo from the district's chief financial officer obtained by the Houston Chronicle identifies the employee as an associate administrator.
The hospital district has released little information about the situation.
[Evan] For fear of?
On Wednesday, spokesman Bryan McLeod issued a brief statement to the Chronicle saying patients affected by the breach would receive a letter in the mail and would be allowed to enroll in a credit protection program at the district's expense.
[Evan] Credit protection does not make the information secret again, and does not protect someone from being denied insurance because of a pre-existing condition. I am more concerned about the medical information than I am about Social Security numbers. It can be very damaging to a person when it is disclosed that they have HIV, AIDS or some other terrible disease.
The district has strengthened its policies and procedures regarding the use of transportable media devices, the statement said.
[Evan] How? People deserve to know how their information will be protected. Judging from this statement, what are we to assume were the policies and procedures before this breach occurred? Will people follow policies and procedures if they are not trained and aware?
Harris County Judge Ed Emmett, who was briefed on the problem Thursday morning, described the situation as "the worst possible thing" imaginable.
The data stored on the drive was not password-protected or encrypted and included "total files" ranging from names, birth dates and Social Security numbers to medical diagnoses and treatments
"It was just a major screw-up by an employee," Emmett said, adding that the worker reported the loss to superiors.
[Evan] I have to question whether this was a "major screw-up by an employee" or a poorly managed information security and risk management program, or a combination. I don't have any details, so I am left to speculate.
"I think everybody's hope is that the flash drive fell in a trash can and is in a landfill somewhere now," he said.
McLeod later issued a second brief statement saying the data on the device included the patients' names, medical record numbers, billing codes, the facilities where the office visits occurred and other billing information.
It also included the patients' Medicaid or Medicare numbers, which can indicate their Social Security numbers or those of their spouses.
According to McLeod's Wednesday statement, the employee transferred the information to the portable storage device to complete a project at home.
[Evan] Using a flash drive to complete a project at home is fine if the information is not sensitive. If an organization wants/expects employees to work from home, the organization should provide a secure means of doing so. Wasn't this one of the primary factors behind the development and deployment of VPN technologies? VPNs have been around for a while now (I think I installed my first one back in 1997).
Asked for details about the project on Thursday, McLeod would only say it was "being used to review data as part of HCHD's ongoing compliance and monitoring process."
[Evan] Ironic.
The July 31 memo obtained by the Chronicle was sent by Ferdinand Gaenzel to employees at the district's administrative office near Reliant Stadium. In it, he said three "memory sticks" belonging to the associate administrator were missing and were last seen on her desk.
The information on one of them was "very important to the district and needs to be found as soon as possible," he added.
"However you choose to return them, we will keep your name confidential, unless you want to celebrate finding them, which I am willing to do," he said.
[Evan] This reads desperate.
Emmett said the employee responsible had not been fired because hospital district officials fear it would dissuade other workers from admitting similar mistakes.
[Evan] It would also make it difficult to fire her if she had no idea that she was violating policy and procedure, or if it had become common practice in lieu of policy and procedure.
But he called on the district to send a strong message that violating security and privacy policies will not be tolerated.
"I think some violations are so severe that you don't have any choice," he said. "Termination just would have to be an option."
General Information from Reference URLs:
The Health Insurance Portability and Accountability Act, or HIPAA, requires health-care providers to safeguard patient records containing individually identifiable health information. The law calls for a $100 fine per violation but sets a $25,000 cap for each calendar year. The most serious violations, such as stealing information to sell it, could result in criminal prosecutions.
The federal Department of Health and Human Services fined Seattle-based Providence Health & Services $100,000 last month for allowing backup tapes, optical disks, and laptops containing unencrypted electronic protected health information to be lost or stolen in 2005 and 2006. The devices contained information about more than 386,000 patients.
Aside from that case, however, the federal government has done relatively little to crack down on HIPAA violations, the law professors said.
[Evan] What good is a law that is not enforced and the people governed by it know that it is not enforced?
"This is an egregious invasion of people's privacy ... but the history of privacy violations in the United States is that there's all kinds of smoke, but very little enforcement of privacy laws," said Dr. William Winslade, who teaches health law at the University of Houston.
Commentary:
Everything I write in my comments is my opinion and ranting. This is a breach that just gives me a general sense of insecurity. Seems like common sense stuff to me.
I would encourage Harris County to arrange for a third-party review of information security and risk management practices.
Past Breaches:
Unknown
Posts Atom 1.0
Evan: With the amount of id theft that is prevalent and increasing exponentially if not logarithmically, combined with the number of security breaches and the obvious non-monetary damages this combination creates, (e.g. anxiety on part of persons whose privacy was compromised) even if the information is not used, do you have an opinion regarding why no courts (of which I am aware) except a California Federal District Court (N.D. Ca.) in Ruiz v. Gap, Inc. will recognize any cause of action for those persons with compromised information? I have had clients arrested on id theft, have their homes foreclosed upon, etc. because of grossly negligent action of holders of their private information, but the direct causal relationship is so had to prove as to be nearly impossible. If you have a large enough class, then perhaps the Plaintiffs' attorneys can hire someone with your expertise or similar expertise who might be able to prove the causation, but the average citizen is just screwed. You get as must justice as you can afford in this country. With the huge volume of number-crunching/profiling that is going on by marketers and the government, and with consolidation of data bases, we have gone beyond The Brave New World into uncharted and turbulent waters and scary times indeed.
Reply to this