Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Security Needed During Applications Development: Social Security Numbers Part Of Addresses on 7,601 Envelopes | Main | Data-mining, Oversight and Privacy »

Insider Threat & HIPAA: Computers Containing "Thousands" of Patient Files Stolen

10 computers containing personal information on thousands of patients from a Hospital Corporation of America (HCA) regional office, and now the FBI is investigating.  The report did not tell when the theft occurred, though.

"The computers were stolen from a secure building, and the thieves slipped by video surveillance. HCA is one of the nation's leading providers of health care services. The company's 200 plus hospitals and surgical centers serve thousands of patients in the US and around the world. The company is warning patients, and the FBI is now involved.

“For now investigators aren't saying which regional office was targeted by thieves, but the the stolen computers contain sensitive information -- including social security numbers and thousands of files on Medicare and Medicaid patients treated at HCA hospitals.”

The theft affects patients on Medicare or Medicaid who have failed to pay their co-pay or deductible, and those who were seen in an HCA hospital in Colorado, Kansas, Louisiana, Mississippi, Oklahoma, Oregon, Texas or Washington between 1996 and 2006. HCA did not believe any of the files stolen belonged to patients in Tennessee.

The theft has sent shockwaves through the system of the Nashville-based company raising concerns about security. Now a special call center has been set up to answer questions for concerned patients. Investigators thought the thieves stole the computer hardware to sell, and had no interest in using the information for identity theft.

So far there have been no leads on the thieves, and no arrests. The original location of the computers has not been disclosed, and will not be while the FBI investigates. The thieves got past some elaborate security, including a keypad lock and a password for access, making it possible that it was an inside job. With this in mind, HCA has taken steps to further beef up security."

A few thoughts about this incident...

  • Even though patient information was stolen from a healthcare provider (a HIPAA defined "covered entity") it is unlikely there will be any HIPAA violations declared.  They had what sounds like reasonable physical security in place.
  • From the report it certainly does sound very likely it was an inside job...considering video surveillance was bypassed, along with the keypad lock and password.  Organizations must always remember that some "trusted" insiders will turn out to be threats and possibly commit crime through their authorized capabilities.
  • It is good the hospital contacted all the patients involved, in addition to setting up a special call center to answer questions.
  • It is odd/interesting that the investigators, without (supposedly) knowing who the thieves were, would say they "had no interesting in using the information for identity theft."  How could such a thing be known?  They must have much more information about this incident/theft than was reported.  No one can know the intent of an unknown person or persons.

Technorati Tags










 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 24, 2006 6:23 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/167

Comments

Outsourcing firm of First Consulting Group, supporting Continuum Health Partners (Roosevelt, St. Lukes and Beth Israel Hospitals in Manhattan) regularly has computers stolen. 30 Dell systems walked out of a secure facility at St. Lukes in October, 2006 and other systems are routinely stolen.

Virus, Malware, Porn is also rampant on virtually every desktop system.

Posted by: Robert Eisenhardt | April 5, 2007 2:40 PM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.