The Center For Health Care Services, based in San Antonio, Texas, has notified 28,434 patients of a breach of privacy on their personal and health information. The data was allegedly stolen when a former employee took the information after being fired in 2016.
The compromised data includes patients' Social Security numbers, dates of birth, medical records numbers, dates of services, referral information, progress notes, types of services, diagnoses, medications, lab and toxicology reports, autopsy reports, death certificates, treatment plans and discharge and death summaries.
According to the released statement: "A former employee of CHCS was discovered to have secretly taken personal health information from CHCS on his personal laptop computer at the time his employment was terminated on May 31, 2016. The discovery was made on Nov. 7, 2017, as a result of documents produced in litigation between the former employee and CHCS."
Santa Barbara, California-based Cottage Health System has agreed to a $2 million settlement with the state attorney general resolving allegations that the health system failed to implement “basic, reasonable safeguards to protect patient medical information”, which led to the exposure of nearly 55,000 medical records.
According to California Attorney General Xavier Becerra, the health system’s failure to protect patient medical information violated state and federal privacy laws. The state alleged the health system failed to adequately protect patient records.
In December 2013, Cottage Health was notified its patients’ records were accessible online, as one of its servers that contained 50,000 patient records was left unencrypted. Worse yet, there was no password protection, firewalls or permissions to prevent unauthorized access. Exposed information included medical history, diagnosis, laboratory test results, and medications.
If you are a healthcare provider that accepts Medicare, then you have likely seen and heard the acronyms MACRA, MIPS, and EHR hundreds of times in 2017.
You may have chosen to attest to MIPS for the entire calendar year, or perhaps you are gearing up to begin reporting in the final 90 days of 2017. You also may have chosen to begin reporting in 2018. Whichever path you have selected, are you aware that before medical practices participate in MIPS they must prove that patient health information contained in EHR and elsewhere in their practice is protected by performing a security risk assessment (SRA)?
The US Food and Drug Administration (FDA) has recalled almost half a million pacemakers because they were found to be vulnerable to cyber threats. The recall comes months after the FDA conducted an investigation into the affected devices that revealed a number of non-compliance issues. Threats include flaws in cybersecurity that could allow hackers to run the batteries down or even alter the heartbeats of 465,000 patients.
After two years of steadily increasing cyber threats that resulted in record numbers of compromised patient information, financially extorted health organizations, and publicly disrupted hospital operations, it is clear that cybersecurity is a major concern for healthcare executives in 2017 and beyond.
According to Karthik Swarnam, AT&T Vice President of Security Architecture, “Cybercrime damages are expected to rise to $6 trillion annually by 2021. This represents the greatest transfer of economic wealth in history and risks the incentives for innovation and investment.” The healthcare industry has become a prime target for cyber attacks, facing security issues that have financial and reputational impact for hospitals and other healthcare institutions.