Healthcare News & Insights

3 of 2011’s worst data breaches involved medical records

We’ve reported before on how valuable patients’ health information is for criminals. That explains why a few of the worst data breaches organizations experienced in the past year involved the theft of electronic medical records. 

Privacy Rights Clearinghouse (PRC), a nonprofit consumer protection group, recently published its list of the six worst data breaches of 2011. Of those that made the list, three involved health information.

Medical records are a big target for criminals, PRC said, because of the amount of sensitive information they contain. Those records often contain not just coveted Social Security numbers and dates of birth, but also data that can be used to commit insurance fraud or buy and resell prescription drugs.

These were the three most significant health data breaches of 2011:

Sutter Physicians Services and Sutter Medical Foundation (ranked #3 on PRC’s list) — A desktop computer containing patient data was stolen from Sutter’s administrative offices in Sacramento, CA. The PC was password-protected, but data was not encrypted, and approximately 3.3 million patients whose providers use Sutter’s services had sensitive information exposed. Sutter has been sued for negligence in protecting the patients’ information and failing to notify affected patients in a timely manner.

Health Net (#5) — Nine servers went missing from Health Net’s data center in Rancho Cordova, CA, containing the names, addresses, Social Security numbers, and health and financial information of 1.9 million policy holders. The theft was discovered in January, but affected customers weren’t informed until three months later.

Tricare/SAIC (#6) — Backup data tapes containing information about patients from military hospitals and clinics were stolen from an employee’s car. The data on the tapes was unencrypted and included patient medical information potentially spanning years from 1992 to 2011. An estimated 5.1 million patients may have been affected, and a $4.9 billion lawsuit has been filed against Tricare and SAIC.

Those breaches had some elements in common — they all involved data that was unencrypted and were carried out by stealing physical equipment containing data. Also, in two of the incidents, a major issue was the failure to notify people whose information may have been stolen.

The lessons for health IT professionals:

  1. Make sure all sensitive data is kept encrypted
  2. Pay attention to physical security as well as information security
  3. Create policies and train employees to be careful when they transport sensitive data outside of the office, and
  4. If a breach does occur, organization must make sure law enforcement and affect people are notified as soon as possible — it pays to have a breach plan in place before an incident occurs.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.