Healthcare physical security breaches are a treasure trove of lessons for security professionals. That’s why we’re taking a look back at some of the biggest and most serious breaches announced in 2018. We keep you updated on data breaches and diversions every month, and as usual, if you want to learn more about what you can do to minimize the risk of your facility ending up on this list, we can help.
Chilton Medical Center in Northwestern, NJ learned in October that an employee had removed a hard drive from the hospital and sold the drive online in December. The health system began notifying affected patients who had visited the facility between May 2008 and October 15, 2017, that their PHI had been compromised.
Information at risk included names, addresses, medical record numbers, dates of birth, medications, and allergies. The hospital learned that the employee also removed other devices to sell similarly, but those devices are not believed to have contained patient information.
Lesson Learned: This might not be one of the most significant breaches discovered this year, but it’s a stark reminder of why so much patient data goes missing in the first place.
An administrative law judge ruled that the University of Texas MD Anderson Cancer Center will be held responsible for the theft of an unencrypted laptop to the tune of a $4.3 million penalty. Along with the laptop, two unencrypted USB thumb drives were lost. OCR found that MD Anderson had written encryption policies that dated back to 2006.
Internal risk analysis also found a lack of encryption of hospital devices to be a security risk. MD Anderson was fined for each day of HIPAA noncompliance and each exposed record because of the provider’s “willful neglect.” The judge ultimately ruled that MD Anderson “failed to adopt an effective mechanism” to protect their patients’ data.
Lesson Learned: This record-breaker was a warning sign to anyone not acting on physical security issues they know exist in their organization.
Effingham Health System will be paying a $4.1 million settlement behind allegations that it failed to properly guard against the loss and theft of controlled substances. The U.S. Attorney’s Office says that the health system’s inaction let to “a significant diversion of opioids” and they additionally failed to report the diversion. Across a period of more than four years, tens of thousands of oxycodone tablets were left unaccounted for. The hospital has begun overhauling its pharmacy operations to improve their systems and implement best practices.
Lesson Learned: Data isn’t the only thing that will get you on the “biggest financial loss” list.
Nebraska burglars managed to get hold of a handful of items containing patient information including a computer component of an EKG device as well as uncashed patient checks. Complete Family Medicine has worked with police to recover some of the checks, but the computer, which contained names and EKG images, has not been located.
To protect against future issues, Complete Family Medicine is reviewing its policies and procedures to decide whether they need to make changes around their approach to physical healthcare security.
Lesson Learned: Sometimes, safes aren’t enough. Senseon’s reliable electronic locks bring up to 250 lbs. of break-force to any application.
Verizon’s 2018 Protected Health Information Data Breach Report has hit the streets and is revealing one stubborn and unsettling trend — inside actors are still a major problem for healthcare security teams.
The study found that 58 percent of breach attempts involve inside actors and that events like laptop theft from cars are a common breach strategy. While physical security often falls by the wayside in healthcare security discussions, reports like Verizon’s are a continuous reminder that physical security should be a priority for every hospital and long-term care security team.
Lesson Learned: Internal threats are probably a bigger deal than you realize.
InSite Digestive Care of California tops the list this week with theft of “paper/films” that are suspected to have impacted 1,424 patients. According to reports, someone broke into two storage lockers that housed patient records and potentially viewed and possibly removed patient files. The files contained names, addresses, driver’s license, and Social Security numbers, as well as lab orders and other health information. inSite Digestive is offering a year of free credit monitoring and identity protection services to anyone potentially impacted.
Lesson Learned: Don’t forget to protect your film!
Laptops are frequently named in physical healthcare data breaches, and with good reason.
They’re portable and frequently unencrypted and improperly secured. While this is common knowledge, the sheer vulnerability you face because of laptops might not have really hit home yet, but check out these statistics.
- 86 percent of IT practitioners report that a laptop has been lost by or stolen from someone in their organization. 56 percent report that the theft resulted in a breach.
- 52 percent of business managers report that they sometimes or often trust a stranger with their laptop when they’re traveling.
- 45 percent of healthcare information breaches go down on stolen laptops.
- Once, 6 million patients’ medical data was compromised in the theft of just one laptop.
- The average blow to a business’ bottom line after an individual laptop theft is $47,000.
Lesson Learned: This report is a good look at just how important it is to properly store and protect laptops.
The American Journal of Managed Care recently released the results of a study that used data from the Office of Civil Rights to examine breaches that affected 500 or more individuals between 2009 and 2016. The objective was to describe the location within hospitals where data is breached, the type of breaches that occur most frequently, and associated hospital characteristics.
The study found that hospital breaches affected the largest number of individuals and that while network server breaches affected the highest number of patients overall, paper and film breaches were the most common location of breached data. The study recommends that hospitals should conduct routine audits of vulnerabilities and improve access control to help prevent breaches.
Lesson Learned: Paper records need protection too — something that’s easy to forget with all the focus on cybersecurity.
Massachusetts just might be staring down one of the largest drug diversion cases in the country.
Recently, 18,000 pills were stolen from Beverly Hospital and several of its satellite locations. Lisa R. Tillman, a pharmacy technician, was arraigned on a charge of larceny of a controlled substance and has pleaded not guilty, allegedly telling police she was only taking the pills for personal use and flushing unused doses.
The majority of pills were opiates including Vicodin, Percoset, and OxyContin. Tillman allegedly stole the drugs by marking them as outdated and them removing them from automated dispensing machines.
Lesson Learned: As the opioid crisis continues, preventing drug diversion should be a top priority for all providers.
Want to improve your physical security in 2019? Senseon’s adaptable physical security offerings can be an integral part of any proactive facility’s PHI and drug security initiatives.