Personal healthcare information is valuable, sits high on healthcare organizations' list of priorities and is also at high risk. Incidences of compromised data and privacy incidents are growing in number, whether an organization suffers a cyberattack or a hospital is found with inadequate safeguards for information.
Here are 16 of the biggest stories and updates on data breaches, privacy incidents and HIPAA violations that happened in July, starting with the most recently reported on Becker’s Hospital Review.
1. The hackers believed to responsible for the U.S. Office of Personnel Management and Anthem breach have struck again, this time targeting United Airlines. The newest breach compromises passenger information such as travel plans.
2. Four backup data tapes containing sensitive information on brain donors at McLean Hospital in Belmont, Mass., an affiliate of Boston-based Partners HealthCare, were reported missing May 29. Information stored on the tapes included names, birthdates, diagnoses and some Social Security numbers. Though many of those whose information was contained on the data tapes are deceased, some individuals who have promised to donate their brains to research after their death and the information of donors' family members were also included.
3. Given the increase of large-scale cyberattacks over the past two years, both within and outside of healthcare, the chances an individual's information has been exposed to hackers is becoming more likely. The New York Times created an interactive tool allowing users to determine what, if any, of their information has been exposed. After answering four questions about shopping habits and healthcare providers, the tool highlights what information may be compromised.
4. Washington, D.C.-based Children's National Health System faces a lawsuit regarding a data breach stemming from a phishing attack. The health system learned of the breach in December 2014 but didn't notify patients until February 2015. The lawsuit has been moved to federal court.
5. Columbus-based OhioHealth reported a missing flash drive containing sensitive information of approximately 1,000 patients who were candidates for valve replacements or who participated in research projects related to valve replacements. The health system believes the flash drive was likely misplaced by an employee.
6. Hagerstown, Md.-based Meritus Health reported a data breach after discovering vendor employee may have accessed patient information outside of typical job duties. The health system discovered the breach during a routine compliance and self-audit effort.
7. Rocky Mountain Eye Center in Missoula, Mont., is fighting against a court decision saying the facility's dismissal of an employee who accessed the center's EHR to retrieve contact information for colleagues was an unfair labor practice. The employee, Britta Brown, was allegedly accessing the information as part of efforts to organize a union. The court determined the eye center had an "overly-broad confidentiality rule," and the information Ms. Brown accessed does not fall under the realm of information protected by HIPAA. The eye center seeks ruling that its termination of Ms. Brown is lawful.
8. Hackers targeted Planned Parenthood, accessed and posted online a database containing the names and emails of employees of the women's health clinic. The attack does not appear to compromise personal data of patients or employees. Hacker organization 3301 has claimed responsibility for the attack, saying it has political motives for its actions. The group has threatened to release internal Planned Parenthood emails.
9. Among the negative reports of data breaches, one party is benefiting from them: cybersecurity startups. According to research firm CB Insights, venture firms invested $1.2 billion in cybersecurity startups in the first half of 2015, Wall Street Journal reports. While that number is slightly less than the $1.4 billion invested in the first half of 2014, it's a significant departure from the $771 million invested in the first half of 2013.
10. Los Angeles-based UCLA Health suffered a cyberattack compromising the personal information of 4.5 million people. The health system learned of the attack May 5, though investigations suggest the cyberattacker had access to the systems since September 2014.
11. After the Fourth of July weekend, an ESPN reporter shared a photo of what appeared to be NFL player Jason Pierre-Paul's medical record after the New York Giants' defensive end had finger amputated due to a fireworks mishap. The image stirred up controversy over what is covered under HIPAA's protections. Media, and therefore the reporter Adam Schefter, are not subject to the regulations of HIPAA; however, Mr. Schefter said in a Sports Illustrated interview that he should have been more sensitive to the situation.
12. As the U.S. Women's soccer team was celebrating its recent World Cup championship with a parade through New York City, a WFMY2 reporter noticed the confetti being released throughout the parade was made of shredded medical records. Though shredded, some of the pieces of paper displayed protected health information, including prescriptions, patient names and physician office addresses.
13. Pittsburgh-based UPMC Health Plan notified 722 members after an email containing protected health information intended for a physician office was sent to an incorrect email address.
14. St. Elizabeth's Medical Center in Brighton, Mass., agreed to pay $218,400 to settle an alleged HIPAA violation and to adopt a corrective action plan for its HIPAA compliance program. The hospital had been using an Internet-based document sharing application to store records but hadn't previously analyzed risk associated with using the platform. The HHS' Office of Civil Rights launched an investigation into the hospital and found it failed to comply with rules to safeguard private patient information.
15. A cyberattack on the U.S. Office of Personnel Management resulted in the breach of the information of approximately 21.5 million Americans. Hackers obtained information from security clearance applications.
16. Orlando (Fla.) Health fired an employee who had inappropriately accessed patient records for reasons unrelated to job responsibilities. The system learned of the access during a routine patient record access audit. The information of nearly 3,200 patients was breached.
More articles on health IT:
Criminal fraud data breach affects 5,300 Healthfirst members
11 most interesting developments in health IT this year
How CVS MinuteClinic is using deep data integration to improve patient access