Why Healthcare Data Breaches Are a C-Suite Concern

Forbes - Eric Savitz - December 7th, 2012

Healthcare data breaches have become an everyday disaster. Ninety-four percent of healthcare organizations surveyed in the newly released Ponemon Institute study, Third Annual Benchmark Study on Patient Privacy & Data Security, suffered at least one data breach during the past two years. What’s more, 45 percent of organizations experienced more than five data breaches each during this same period.

The challenges to maintaining the privacy of confidential patient data continue to grow as more and more of this information is being entered into new electronic systems, as mandated by government regulations.

No cure exists for data breaches. Data breaches have entrenched themselves into the fabric of everyday business – like a bacteria – and these risks must be addressed at the highest levels. We believe healthcare organizations should restructure the information security function to report directly to the board. This would symbolize a commitment to data privacy and security, opening executives’ eyes to the real, constant, and costly threats

Ponemon Study Reveals Ninety-Four Percent of Hospitals Surveyed Suffered Data Breaches

Errors and Cyber Attacks Are Culprits; Mobile and Cloud Threats Loom; Patients at Risk for Medical Identity Theft

TRAVERSE CITY, Mich. and PORTLAND, Ore. — December 6, 2012 — The Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute, sponsored by ID Experts®, reports that healthcare organizations face an uphill battle in their efforts to stop data breaches. Ninety-four percent of healthcare organizations surveyed suffered at least one data breach during the past two years; and 45 percent of organizations experienced more than five data breaches each during this same period. Data breach is an ongoing operational risk. Based on the experience of the 80 healthcare organizations participating in this research, data breaches could be costing the U.S. healthcare industry an average of $7 billion annually. Leading causes were lost devices, employee mistakes, third-party snafus, and criminal attacks. A new finding indicates that 69 percent of organizations surveyed do not secure medical devices—such as mammogram imaging and insulin pumps—which hold patients’ protected health information (PHI). Overall, the research indicates that patients and their PHI are at increased risk for medical identity theft. Risks to patient privacy are expected to increase, especially as mobile and cloud technology become pervasive in healthcare.

For a free copy of the Third Annual Benchmark Study on Patient Privacy & Data Security, visit http://www2.idexpertscorp.com/ponemon2012/.

For the data breach infographic visit http://www2.idexpertscorp.com/ponemon2012/Infographic/.

Who Controls Your Health Data?

Forbes - Doug Pollack - August 01, 2012

Can you limit access to the psychiatric notes in your chart once they have been entered into your provider’s new Electronic Health Record system?

Does your podiatrist need access to your reproductive health history?

It sounds absurd, but the adoption of electronic health records and Health Information Exchanges, could enable this level of access in the future. The goal with these initiatives is to provide access to each American’s medical records in order for physicians to better provide treatment.

Top 3 issues facing patient privacy

Government HealthIT - Rick Kam - July 30, 2012

You have greater privacy rights regarding the size of a shirt you purchased online than you do about information in your mental health records under the Consumer Privacy Bill of Rights, issued by the White House in February 2012. At least that’s the position of James C. Pyles, an attorney specializing in patient privacy rights. He authored the forthcoming Health Information Privacy Bill of Rights, an initiative to provide at least the same level of rights to patients as are offered to consumers under the Consumer Privacy Bill of Rights

Health Care Reform: Let’s Not Forget Privacy And Data Security

Forbes - Bob Gregg - July 02, 2012

The Supreme Court’s decision to uphold the Affordable Care Act could guarantee health insurance coverage for the majority of the 50 million Americans who are now uninsured. While laudable in theory, this legislation doesn’t account for the strain these millions of new patients will have on an already overburdened healthcare ecosystem, especially when it comes to patient privacy and data security.

A Risky Rx for Your Digital Medical Records

Smart Money - Tania Karas - June 19th, 2012

Few health care trends have gotten as much press of late as the mad rush into electronic health records. Physicians, driven by the promise of better care, cost savings and nearly $23 billion in new federal incentive payments, are racing to turn their scribbled medical records into digital files. Thirty-five percent of hospitals now use such systems, more than double the share two years ago, according to U.S. government figures. But for all the hype about electronic records, little attention has been paid to what some say is a serious weak spot: When those sensitive bits and bytes fall into the wrong hands, it's often patients who feel the pain.

13 Security Tips to Combat Mobile Device Threats to Healthcare

Portland, Ore. - June 13th, 2012

Mobile devices—thumb drives, smartphones, external hard drives, tablets and laptops—are increasingly exposing protected health information (PHI) in the healthcare space, with threat risks growing, according to the Department of Homeland Security. Mobile devices pose significant risks for privacy incidents for healthcare organizations, providers and entities responsible for safeguarding protected health information (PHI) under Federal HITECH and HIPAA regulations. Since patient data can be moved, processed and shared via personal cell phones and tiny USB flash drives, the Bring-Your-Own-Device phenomenon can wreak havoc on a hospital. To assist healthcare entities reduce privacy incidents resulting from mobile risks, 13 experts—representing legal, data breach prevention, technology, healthcare IT, and security—offer these top tips for healthcare organizations:

ID Experts RADAR™ Named “The Best Privacy Technology of 2012” at Health Privacy Summit

Portland, Ore. - June 7th, 2012

ID Experts RADAR™ was named one of "The Best Privacy Technologies of 2012" at the 2nd annual International Summit on the Future of Health Privacy, in Washington, D.C., where more than 40 leading health-privacy experts gathered to discuss urgent privacy issues facing the industry and affecting patients. More than 20,000,000 individuals have been impacted by the epidemic of health information breaches in healthcare systems. Sensitive patient health data is a prime target for thieves, with medical identity theft affecting 1.5 million people in the U.S. annually. The sheer scale of data breaches undermines patient trust in the health system, placing patients' lives and reputations at risk. RADAR was selected as an effective tool to help organizations meet their regulatory and ethical responsibilities to promptly notify individuals when a privacy or security incident occurs.

Hacked to Death: The Risks of M-commerce in Health Care

by Jeremy Simon - May 31, 2012 - Texas Enterprise

It's the nightmare scenario: A hacker who is able to remotely access your pacemaker — and shut it off.

Pacemakers are programmed via wireless connections with a computer. That reliance on wireless signals, however, leaves pacemakers vulnerable to attack by hackers, who could drain the device battery and turn off therapies.

10 Guidelines for Selecting Data Breach Insurance

by Kathleen Roney - May 22, 2012 - Becker Hospital Review

As society becomes increasingly electronic, data breaches are a major problem for many organizations. Concern for data breaches in the healthcare industry is especially prevalent because of the variety of protected information hospitals and health systems handle. In addition, healthcare data breaches are on the rise. From 2010 to 2011, the number of data breaches affecting healthcare organizations rose 32 percent, according to research by Ponemon Institute. Along with the loss of patient personal and protected health information, data breaches can diminish productivity and cause severe financial consequences for a hospital or health system.

A Little ‘CSI’ for Health I.T.

by Joseph Goedert - May 09, 2012 - Health Data Management

Digital forensics-the use of scientific methodology to introduce computer data into actual or potential litigation-relies on "using the best computer techniques in a way that you could go to court and clearly and irrefutably explain what you did," says Winston Krone, managing director at Kivu Consulting, which specializes in investigative, discovery and analysis services. "It's also preserving evidence and making sure that the procedures you do don't change the evidence."

10 things to consider before purchasing cyber insurance

by Michelle McNickle - May 8, 2012 - Healthcare IT News

Data breaches have increased dramatically within the past few years, giving way to new trends within the healthcare space. Given their unpredictable nature, data breaches are hard to budget for, but according to a recent report by ID Experts, one aspect of an overall risk management strategy is becoming increasingly important worth exploring: cyber insurance.

3 Considerations for Evaluating Data Breach Insurance Policies

May 2, 2012 - Becker's Hospital Review

In 2011, 419 data breaches were publicly disclosed exposing a total of 22.9 million records, according to a study from the Identity Theft Resource Center. One of the reasons data breaches are so prevalent is because healthcare data increasingly exists in a less stable environment. The push to digitize, the outsourcing of data processing to cloud providers and the increase in mobile devices to conduct business has all contributed. The result has been a substantial increase in the visibility of the breaches and the costs associated with these incidents.

Mitigating PHI danger in the cloud

by Rick Kam - May 02, 2012 - Government Health IT

For all of its benefits, cloud computing poses very real dangers to covered entities responsible for safeguarding protected health information (PHI).

The cloud model, which the IT industry has been embracing for its up-front cost savings and efficiencies for years now, is more recently being recognized by the healthcare realm for its potential to serve as an ideal infrastructure for Health Information Exchange (HIE) — a main component of the Electronic Health Records (EHR) meaningful use initiatives. What's more, the cloud can provide easy, affordable access to the latest medical applications, such as e-prescribing or leading-edge diagnostic tools.

5 reasons to use forensics

by Michelle McNicle - April 30th, 2012 - Healthcare IT News

With the prevalence of data breaches rising, the industry is slowly yet surely realizing they're no laughing matter. And with price tags circulating around the billions, more organizations are starting to take the steps necessary to protect themselves against a costly breach of sensitive information.

Yet, breaches remain common, and as best practices continue to develop around how to handle them, one tool is proving to be invaluable: forensics.

6 things to know about an OCR/HIPAA audit

by Michelle McNicle - April 27th, 2012 - Healthcare IT News

It's one thing to know which hot buttons can trigger a visit from OCR. But according to Mahmood Sher-Jan, vice president of product management at ID Experts, and Chris Apgar, president and CEO at Apgar & Associates, organizations should also know what to expect if they're chosen to undergo an audit -- and know how to prepare for one.

Apgar and Sher-Jan outline six things to know about an OCR/HIPAA audit.

Security Vendors Team for Data Breach Services

April 26, 2012 - Health Data Management

Information security firms FairWarning and ID Experts have integrated their products to offer services to prepare for data breaches, detect them, and manage the investigation and resolution of a breach.

ID Experts Partners with FairWarning to Simplify Healthcare Organizations’ Compliance with Fed

Portland, Ore. - April 26, 2012 -

With healthcare now the top-breached industry, healthcare organizations and providers are challenged by the complexities of auditing, assessing, documenting, and reporting these privacy incidents. To help simplify healthcare privacy incident detection, incident assessment and reporting in order to comply with Federal and state data breach laws, ID Experts has successfully completed FairWarning® Ready for Compliance and Reporting Certification for RADAR 2.0. With ID Experts as a FairWarning® Ready certified partner, the integrated products offer healthcare organizations a simplified solution for the detection of healthcare data breaches and compliance with HITECH Act and states obligations.

3 hot buttons that can trigger an OCR audit

by Michelle McNicle - April 24th, 2012 - Healthcare IT News

This past November, the healthcare industry got its first taste of the new spot-check audits performed by the Office of Civil Rights to enforce HIPAA compliance efforts. Now, in the midst of the OCR pilot program, many providers are wondering if they'll be among the unlucky few to undergo an OCR audit.

Utah’s Medicaid Data Breach Worse Than Expected

By Nicole Lewis - April 11, 2012 - Information Week

A new tally of files stored on a server that contained Medicaid information at the Utah Department of Technology Services (DTS) reveals that 780,000 individuals have been affected by the theft of sensitive information. That's far worse than initial estimates.

8 security questions to ask your business partners

By Rick Kam & Mahmood Sher-Jan - April 11, 2012 - Government Health IT

Healthcare organizations, or covered entities under HIPAA, are legally responsible for the protected health information (PHI) they hold. Because of the HITECH Act, that responsibility now carries downstream to their business associates — claims processing, administration, data analysis, billing, benefits management — and could potentially extend to subcontractors.

10 Tips When Considering Cyber Insurance

By Rick Kam & Jeremy Henley - Mar 28, 2012 - PropertyCasualty360

Data breaches are like lighting: one never knows when or where they'll strike—or how much damage they will cause. Given their unpredictable nature, data breaches are difficult to budget for. Cyber insurance can help offset these unexpected costs, but keep in mind that it is not a substitute for implementing good data privacy and security practices. In addition, cyber insurance does not cover all expenses, such as diminished reputation or customer churn.

Healthcare Data Breaches: Handle with Care

By Rick Kam & Jeremy Henley - Mar 20, 2012 - PropertyCasualty360

Data breaches are notorious for the financial, legal, and reputational damage they can inflict on an organization and its customers. The unintentional exposure of a social security number or financial information raises the risk for identity theft and increases organization vulnerability for lawsuits, fines and lost business.

Can Health Care Orgs Maintain Trust With Electronic Records?

By S. Joe Bhatia and Rick Kam - Mar 20, 2012 - Forbes

You don’t want your personal health information to spread virally around the Internet. Save that for the talking baby videos on YouTube.

The truth is, the electronic health information of millions of patients can be breached in a matter of seconds. As the industry moves from paper records to electronic health records (EHR), protected health information (PHI) is now more susceptible to exposure than ever.

What’s Driving the Rise in Data Breaches?

By Rick Kam & Jeremy Henley - Mar 14, 2012 - PropertyCasualty360

Cyber insurance is growing in popularity as a means to mitigate the costs and risks associated with a data breach. Given the growing prevalence of data breaches in all industries, companies are seeking help. Industries with large volumes of high-value data—bank accounts and medical records to name a few—are particularly vulnerable to data breaches. Thieves value big data for its profit potential—often reselling it to other thieves or using it for multi-million-dollar healthcare fraud schemes.

Safeguarding patients’ PHI

By Michelle McNickle - Mar 12, 2012 - PhysBizTech

The risk of protected health information (PHI) being breached has grown dramatically within the past few years. The HIPAA Security Rule was created to address such threats by providing organizations with administrative, physical and technical guidelines to safeguard their electronic PHI.

The Benefits and Limitations of Cyberinsurance

By Rick Kam - Mar 7, 2012 - Risk Management

The Information Age. The Digital Age. The Computer Age. Whichever name you use, we’re in an era where many companies’ most valuable asset is information, from consumer buying habits to patient diagnoses to scientific data. At the same time, this asset also comes with a burden: companies are responsible for safeguarding the information they hold. Given the almost immeasurable amount of information produced today—something often called “Big Data”—the task can become overwhelming.

The 5 (PHIve) steps you can take now to protect PHI

By Rick Kam - Mar 6, 2012 - Government Health IT

The adoption of electronic health records (EHRs) is making protected health information (PHI) more susceptible than ever to exposure, loss, or theft. What were once localized records are now transmitted across the healthcare ecosystem, from the front desk to the cloud, from healthcare plans to downstream subcontractors. Despite the increased risks of exposure, healthcare organizations lack the resources and, in some cases, the sense of urgency, at the boardroom level, that would make protecting PHI a high priority.

Digital Health Data at Risk From Manager Support, Study Finds

By Chris Strohm - Mar 4, 2012 - Bloomberg

Insufficient funding and lack of executive support are mainly responsible for security breaches involving patients’ electronic health records, a study found.

Executives at health-care companies and providers must improve cost assessments to include payments from class-action lawsuits, said the report released today in Washington by the nonprofit American National Standards Institute. Its members include Kaiser Permanente and data-security sellers such as Microsoft Corp. (MSFT) as well as the U.S. Defense Department and theFood and Drug Administration.

5 steps to take after experiencing a data breach

By Michelle McNickle, Web Content Producer, Published on Healthcare IT News

Created February 20, 2012

It’s essential to take the steps necessary to prepare against a data breach, but after one does occur, knowing how to respond can make all the difference.

Mahmood Sher-Jan, vice president of product management at ID Experts, offers five steps to take once a breach has happened. 

5 tips for preparing for a potential privacy incident or data breach

By Michelle McNickle, Web Content Producer, Published on Healthcare IT News

Created February 16, 2012

Last year, health data breaches were up 97 percent, with all 50 states experiencing some sort of breach and 385 incidents affecting more than 19 million people. Experts agree: If ever there were a time to protect and prepare against breaches, that time is now.

ID Experts Launches RADAR™ 2.0

PORTLAND, Ore. — February 15, 2012 — Healthcare has become one of the most-breached industries, placing hospitals, clinics and health plans under scrutiny of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and State Attorneys General (AG). To help healthcare organizations navigate the maze of inconsistent federal and 46 states’ different patient privacy laws, ID Experts announced RADAR 2.0 today—a patent pending, web-based software tool—to help standardize, centralize and simplify the assessment, documentation and reporting process of privacy or security incidents involving personally identifiable information (PII) and protected health information (PHI).

Data breaches put patients at risk for identity theft

By Robin Erb, Detroit Free Press

DETROIT – Walk into a doctor's office and chances are that some of your most private information -- from your Social Security number to the details of your last cervical exam and your family's cancer history -- is stored electronically.

Your doctor might access the information on a cell phone that could slip into the wrong hands. The staff might take it home on a laptop or a flash drive.

As Detroit-area health care providers take multimillion-dollar steps toward electronic records, they're talking about more than efficiency and better care. They're talking security, too.

A glimpse inside the $234 billion world of medical ID theft

By Rick Kam and Christine Arevalo, February 8, 2012, Government Health IT

Healthcare fraud is costing American taxpayers up to $234 billion annually, based on estimates from the FBI. It’s no wonder that a stolen medical identity has a $50 street value, according to the World Privacy Forum – whereas a stolen social security number, on the other hand, only sells for $1.

One form of healthcare fraud, known as medical identity theft, has its own staggering statistics: 1.42 million Americans were victims of medical identity theft in 2010, according to a 2011 study on patient data privacy and security by the Ponemon Institute. The report estimates the annual economic impact of medical identity theft to be $30.9 billion.

10 tips to prepare for an OCR audit

By Michelle McNickle, Web Content Producer, Published on Healthcare IT News (http://www.healthcareitnews.com)

Created 02/01/2012

It’s one thing to prepare your organization with a solid defense against a potential privacy breach. Add in an HHS/OCR audit or investigation, and it becomes crucial that organizations take the necessary steps to comply with the HIPAA Privacy, Security, and Breach Notification rules.

Apgar & Associates and ID Experts Form Partnership

PORTLAND, Ore. — February 1, 2012 —Apgar & Associates and ID Experts have partnered to offer healthcare organizations complete services, tools and resources for compliance with federal and state privacy, security and breach notification laws, including HIPAA and HITECH; breach prevention, incident assessment; and post-breach incident response. Their combined offerings—including “Mock OCR HIPAA Audits”—will provide organizations the assistance needed to prepare for the audits by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as mandated by the HITECH Act. Throughout 2012, KPMG on behalf of OCR will conduct random compliance reviews of 20 pilot audits and 150 healthcare providers, health plans and health care clearinghouses—also referred to as covered entities under HIPAA. These audits could result in a corrective action plan, civil penalties/monetary settlements or both, with civil penalties up to $50,000 per incident up to a maximum $1.5 million per calendar year for the same type of incident.

Effective practices for HIPAA and HITECH compliance measurements

By Rebecca Herold and Mahmood Sher-Jan, HCCA Compliance Today, January 2012

It is often said that if you can’t measure something, you can’t improve it. The same can be said about how an organization manages its information security and privacy program compliance activities. The goal isn’t just measuring compliance with federal and states’ regulations, but equally important is protecting the organization’s reputation and its customers.

Top Health Care IT Trends for 2012

IT Business Edge

The health care sector will be one of the most active areas in all of IT in 2012. With the advent of electronic health care records and greater enforcement of compliance rules, the pressure on health care IT professionals is going to rise exponentially in 2012.

The folks at ID Experts, a provider of data breach security and compliance management tools, have put together a list of some of the things IT health care professionals should specifically be watching for in 2012.

11 healthcare data trends in 2012

By Michelle McNickle, Healthcare IT News  January 06, 2012

Mobile devices, data breaches and patient privacy rights were some of the most talked-about topics in health IT in 2011, and according to expert opinions complied by ID Experts, 2012 won’t be any different.

In fact, experts continue to predict an upswing in mobile and social media usage, response plans, and even reputation fallout. Eleven industry experts outlined healthcare data trends to look for in 2012.

More Patient Data Risks, Lawsuits Predicted In 2012

By Nicole Lewis InformationWeek January 09, 2012

According to experts in healthcare law and information privacy and security, healthcare IT managers can expect to see more patient data breaches in 2012, along with more lawsuits filed by patients as the availability of patient information exchanged over social media sites and mobile devices grows.

These conclusions, published by ID Experts, offer a glimpse into what health CIOs can expect as they seek to protect patient data during a year that promises more of the same challenges they faced last year.

A look ahead at healthcare law, privacy and security

Hospitals and healthcare organizations will need more than a couple of aspirin to ready themselves for 2012.

Industry experts representing healthcare law, privacy, security, regulatory and data breach were asked to forecast healthcare data trends for 2012. The overall forecast? Protecting patients’ protected health information (PHI) should be viewed as a patient safety issue.

7 health data privacy and security trends to track in 2012

By Rick Kam and Christine Arevalo, January 6, 2012, Government Health IT

Happy Leap Year! We’re jumping into a challenging 12 months — lawsuits are up, budgets are down, and advances in technology have made protecting medical data a whole lot harder. Our list of top trends in 2012 reveals difficulties ahead; read and proceed with caution.

Mobile healthcare figures prominently in ID Experts’ 2012 PHI security predictions

January 05, 2012 Eric Wicklund, Editor, mHIMSS

Access to healthcare data on mobile devices will be on the minds of many a healthcare executive this year, according to industry experts gauging the top trends in 2012.

Compiled by ID Experts, a Portland, Ore.-based provider of data breach solutions, “Top 11 Trends for 2012 in Healthcare Data” includes several references – both positive and critical – to the fast-growing mHealth industry.

Top 11 Trends for 2012 in Healthcare Data, According to Industry Experts

A Look Ahead Points to Increased Risks; Regulatory Expectations; Reputational Fallout

PORTLAND, Ore. — January 5, 2012 — Hospitals and healthcare organizations will need more than a couple of aspirin to ready themselves for 2012. Industry experts representing healthcare law, privacy, security, regulatory and data breach were asked to forecast healthcare data trends for 2012. The overall forecast? Protecting patients’ protected health information (PHI) should be viewed as a patient safety issue. If the right actions are not taken, experts predict healthcare data breach will reach epidemic proportions this year.

Year in review: Top 10 trends in healthcare data privacy and security

By Rick Kam and Christine Arevalo, December 22, 2011 Government Health IT

Forget the hospital dramas on TV. Our top 10 list of this year’s trends in healthcare privacy and security has excitement to rival any show. 2011 has been the year of the policing of the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) police, mobile technology and massive-scale data breaches:

Smartphones blamed for increasing risk of health data breaches

By Pamela Lewis Dolan, amednews.com, December 19, 2011

The number of physicians using smartphones has reached a near-saturation point. Meanwhile, the number of data breaches is going up.

Coincidence? Leading experts think not.

Recent reports by Manhattan Research have found more than 81% of physicians use a smartphone, up from 72% in 2010.

Health Care IT Security: From Bad to Worse, but Maybe Better

By Michael Vizard, ITBusinessEdge, December 9, 2011

Most folks involved IT in health care organizations would generally agree that security is important; it just seems to be getting harder to build a consensus about whether it's getting better or not.

Patient Data Losses Jump 32%

By Nicole Lewis, Information Week, December 7, 2011

The frequency of patient data losses at healthcare organizations has increased by 32% compared to last year, with nearly half (49%) of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones, according to recently published figures from the Ponemon Institute's second annual benchmark study on patient data security.

Survey: Health Data Not Better Protected Than a Year Ago

Joseph Goedert
HDM Breaking News, December 1, 2011

The second year of a benchmark survey to track progress in securing protected health information finds improved policies and staff training, but also increased frequency of breaches, rising incidents of identity theft, poor control over mobile devices, and two-thirds of organizations don't provide protection services for breach victims.

Health Care Data Breaches Increase by 32 Percent: Ponemon Report

The Ponemon Institute, a research firm that advises organizations on data security and privacy, has released a new survey of the health care industry showing a 32 percent increase in data breaches.

Data security consulting firm ID Experts sponsored Ponemon's report, the second-annual "Benchmark Study on Patient Privacy and Data Security," announced on Dec. 1. ID Experts provides assessment tools and response plans to help organizations deal with data security issues.

Costly healthcare data breaches jump 32 percent

December 01, 2011 - Chris Anderson, Contributing Editor

TRAVERSE CITY, MI – The frequency of data breaches in healthcare have increased 32 percent in the past year and cost an estimated $6.5 billion annually according to a new study by the Ponemon Institute. Among the chief culprits: sloppy employee handling of data and the ever-increasing use of mobile devices.

Forty-one percent of healthcare executive surveyed attributed data breaches related to protected health information (PHI) to employee mistakes, while half of the respondents said their organization does nothing to protect the information contained on mobile devices. In all, 80 percent of healthcare organizations use mobile devices that collect, store and/or transmit some form of PHI.

3 steps to minimize ‘data breach epidemic’

December 01, 2011 - Chris Anderson, Senior Editor, Healthcare Payer News

The frequency of data breaches in healthcare have increased 32 percent in the past year and cost the industry an estimated $6.5 billion annually according to the second annual benchmarking study conducted by the Ponemon Institute.

Among the chief culprits responsible for data security breaches were sloppy employee handling of data and the ever-increasing use of mobile devices in the healthcare setting. Forty-one percent of healthcare executive surveyed attributed data breaches related to protected health information (PHI) to employee mistakes, while half of the respondents said their organization does nothing to protect the information contained on mobile devices. In all, 80 percent of healthcare organizations use mobile devices that collect, store and/or transmit some form of PHI.

Patient Data Breaches Surge as Hospitals Scrimp on Security

Dec. 1 (Bloomberg) -- Data breaches at U.S. healthcare providers are increasing as hospitals adopt electronic medical records and mobile technology without spending enough on security to ensure patient privacy, a research group said.

The frequency of data breaches at health organizations jumped 32 percent in 2011 from a year earlier, costing the industry an estimated $6.5 billion, according to a study released today by the Ponemon Institute LLC, a Traverse City, Michigan-based information-security research group.

When a Healthcare Data Breach Strikes: Don’t Be Exposed Like the Back of a Hospital Gown

TRAVERSE CITY, Mich. and PORTLAND, Ore. — December 1, 2011 — "Sloppy" is not a word patients want to hear at the hospital. Especially to describe the handling of patients' private medical records, insurance information and Social Security Numbers. The latest 2011 Benchmark Study on Patient Privacy and Data Security by Ponemon Institute, sponsored by ID Experts®, is a disturbing reality check for patients.

The latest research reveals that the frequency of data breaches in healthcare has increased by 32 percent, largely because of employee negligence. This puts individuals at a greater risk for medical identity theft, financial harm, embarrassment and frustration.

Data Breaches Cost the Healthcare Industry an Estimated $6.5 Billion

TRAVERSE CITY, Mich. and PORTLAND, Ore. — December 1, 2011 — The second annual benchmark study by Ponemon Institute, sponsored by ID Experts®, finds that the frequency of data breaches in healthcare organizations surveyed has increased by 32 percent, with hospitals and healthcare providers averaging four data breaches. Employee negligence is the primary culprit. According to 41 percent of healthcare organizations surveyed, data breaches involving protected health information (PHI) are caused by sloppy employee mistakes. To compound the problem, half of respondents do nothing to protect mobile devices that are in use in 80 percent of healthcare organizations. Based on the experience of the healthcare organizations surveyed, data breaches could be costing the U.S. healthcare industry an estimated $4.2 billion to $8.1 billion annually—an average of $6.5 billion—enough to hire more than 81,000 registered nurses nationwide or fund 216 million flu vaccinations. For a free copy of the 2011 Benchmark Study on Patient Privacy and Data Security, visit http://www2.idexpertscorp.com/ponemon-study-2011/

Privacy compliance needn’t be so scary

By Rick Kam and Christine Arevalo, October 30, 2011 Government Health IT

Regulators looking over your shoulder. Million-dollar fines lurking around the corner. Every flash drive a data breach booby trap. The world of healthcare data privacy may seem scarier than the latest horror flick.

It doesn't have to be that way.

4 data breach response best practices

By Rick Kam and Christine Arevalo, October 24, 2011 Government Health IT

We'll be honest. This is not another article about the details of data breach response—notification timelines, identity protection, remediation, and so forth. Data breaches are stressful events, and experience proves that such details are best handled by an expert third party. Instead, we'll focus on the framework, or set of best practices in which to place these details — the how of a data breach response.

9 steps to take during an OCR data breach investigation

By Rick Kam and Christine Arevalo, October 17, 2011 Government Health IT

Dealing with sensitive protected health information (PHI) is no simple task. At any point along the spectrum of patient care—from initial diagnosis to billing—PHI is vulnerable to unauthorized disclosure. So, what's an organization to do when faced with a privacy incident?

3 Tips for surviving an OCR breach investigation

By Rick Kam and Christine Arevalo, October 10, 2011 Government Health IT

For many healthcare organizations, a dreaded acronym may well be OCR—the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. With fines and enforcement of the HIPAA Privacy and Security Rules on the rise, it's natural for collective muscles to tense in anticipation of an OCR investigation.

6 best ways to protect against health data breaches

By Michelle McNickle, September 30, 2011 Healthcare IT News

According to a Department of Health & Human Services tally of data breaches since 2009, about 260 incidents occurred that went on to affect more than 10 million patients. And, it gets worse -- the second largest breach occurred not because of a hacked password but when computer back-up tapes were stolen from the back of a truck.

SAIC: Medical records for 4.9 million TRICARE beneficiaries were stolen

By Bob Brewin, September 29, 2011 nextgov

Science Applications International Corp. said backup computer tapes containing sensitive health information of 4.9 million Military Health Care System TRICARE beneficiaries treated in the San Antonio, Texas, area since 1992 were stolen from an employee's car Sept. 14.

Unraveling Data Breaches

By Joseph Goedert, August 1, 2011 HealthData Management

The federal health care breach notification rule requires HIPAA covered entities-comprising providers, insurers and vendors who must comply with HIPAA transaction sets-to report breaches of protected health information affecting 500 or more individuals to the Department of Health and Human Services' Office for Civil Rights.

OCR posts the breaches to a public Web site. And there have been a lot of postings: by mid-June, 288 listings had filled what is called the "Wall of Shame" in just an 18-month period.

Health Data Management contacted numerous organizations that had suffered a data breach, hoping to find one that would share its experiences about dealing with and recovering from a major breach. Only one responded, and that was to say it declined to comment. Susan McAndrew, deputy director for health information privacy at OCR, believes the reluctance is a missed opportunity.

The Cost of Healthcare Data Breaches

By Christina Thielst, HIT Exchange

The cost of healthcare data breaches has been hard to quantify, but one recent study found the economic impact of incidents to be approximately $2 million per organization. Other research reports the healthcare industry has one of the highest churn rates (7 percent), likely because consumers have higher expectations for the protection and privacy of their most sensitive medical information. This is important, because churn is a dominant factor and costs add up quickly at $107,580 estimated lifetime value per lost patient.

5 ways a PHI breach is like an epidemic

By Molly Merrill, May 26, 2011 Healthcare IT News

PORTLAND, OR – Data breaches have become the new healthcare "epidemic," says one expert.

Mahmood Sher-Jan, senior director of product management at ID Experts, an Oregon firm specializing in breach prevention, said he'd recently read that breaches of healthcare data have surpassed the 10 million records threshold.

10 steps to take when you’ve been hit with a breach

By Healthcare IT News, April 21, 2011

Data breach is an equal opportunity threat to hospitals and practices. As long as you hold and process patients' protected health information (PHI), breaches do not discriminate based on the size of your hospital system or practice. Simple things such as a stolen laptop, a missing back-up drive or unintentional human error could put your organization at risk.

Five insights on what OCR privacy fines mean for providers

By Healthcare IT News, April 05, 2011

PORTLAND, OR – The Department of Health and Human Services Office for Civil Rights (OCR) recently singled out two prominent healthcare organizations – Cignet Health of Maryland with a penalty of $4.3 million dollars and Massachusetts General with a settlement of $1 million – both for allegedly violating HIPAA. These sizeable fines signal a wake-up call for the healthcare industry, say experts, who believe these won't be the last.

Wake-Up Call for Healthcare Industry

PORTLAND, Ore. — April 5, 2011 — What can healthcare organizations learn from the multi-million dollar penalties recently issued by the Department of Health and Human Services Office for Civil Rights (OCR) for privacy violations? Recently, the OCR singled out two prominent healthcare organizations—Cignet Health of Maryland with a penalty of $4.3 million dollars and Massachusetts General with a settlement of $1 million—both for allegedly violating the Federal HIPAA Privacy and Security Rule, the rule that protects the privacy of patient healthcare information.

Initiative to Examine Financial Impact and Harm of Breached Patient Information

New York, NY, March 23, 2011 – Healthcare organizations are struggling with two key concerns today: how to protect patient information and how to better understand the financial harm caused when protected health information (PHI) is lost or stolen. A new project – led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and its Healthcare Working Group – has been launched to explore the financial impact of unauthorized PHI access. The goal for the “ANSI/Shared Assessments PHI Project” is to identify frameworks for determining the economic impact of any disclosure or breach of protected patient data.

Risk Assessment is a No-Risk Proposition

By Rick Kam, March 01, 2011, Government Health IT

No organization wants to experience a breach of protected health information or personally identifiable information. That is the general consensus of the CIOs, CPOs, and CISOs I talk to. So, what is the best way to reduce the potential of a data breach from happening? The answer is a risk assessment.

ID Experts’ RADAR Supports Hospitals’ and Clinics’

Enhanced Tool Documents and Reports Security Breach Incidents to Fulfill Federal Compliance

PORTLAND, Ore. – February 3, 2011 – Billions of dollars in Federal incentives are at stake for hospitals and clinics across the country to implement electronic health record (EHR) technology. In order to receive this money—or achieve "meaningful use"—organizations must be in full compliance with Federal HIPAA Privacy and Security Rules and State laws, including the mandatory reporting of security incidents involving patient records. Increasingly, hospitals and medical practices are using RADAR, the new tool from ID Experts®, to assess, document, and report any type of security incident involving patient data—and know they will be in compliance with privacy and breach notification regulations.

The State of Privacy Risk in Today’s Healthcare Organizations

The Health Information Technology for Economic and Clinical Health (HITECH) Act increases fines for non-compliance with HIPAA privacy regulations to $1.5 million per incident, but a new study by The Ponemon Institute shows that penalties are not the major costs from medical privacy breach. As with other types of businesses that experience privacy-related data breaches, lost patient confidence and lost business will have a much more devastating and long-term effect on a medical provider than any regulatory penalties. Based on reports from healthcare providers, Ponemon estimates that privacy-related breaches cost U.S. hospitals almost $6 billion a year.

Is Your Patient Data Secure?

By Sara Michael, January 12, 2011,

How secure is the patient data at your practice?

It's a question practices should be asking in the wake of the news that a server containing personal patient and billing information was breached at a radiology practice in Rochester, N.H. It's the latest security breach made public under the HITECH Act's security breach notification rules.

Experts name top 7 trends in health information privacy for 2011

By Molly Merrill, January 4, 2011, Healthcare IT News

PORTLAND, OR – A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach and governance have identified the top seven trends in healthcare information privacy for 2011.

Experts Forecast Top Seven Trends in Healthcare Information Privacy for 2011

Move to Electronic Health Records Raises Concerns for Patient Privacy, Security, Data Breach

PORTLAND, Ore. — January 5, 2011 — What are the top security and privacy issues facing the healthcare industry in 2011? A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach, and governance were asked to weigh in with their forecasts for 2011. These experts suggest that as health information exchanges take form, millions of patient records—soon to be available as digital files—will lead to potential unauthorized access, violation of new data breach laws and, more importantly, exposure to the threat of medical and financial identity theft.

Study: Data Breaches Cost Hospitals $6 Billion Per Year

By Katherine Hobson, November 9, 2010, Wall Street Journal

Data breaches in the health-care world aren't rare, as readers of this blog know.

A new report based on interviews with 65 health-care organizations has some stats on those breaches. The biggie: $6 billion. That's the annual economic burden that stems from data breaches at U.S. hospitals, according to the Ponemon Institute, a privacy and information-management research firm.

New Ponemon Institute Study Finds Data Breaches Cost Hospitals $6 Billion

Hospitals Are Not Protecting Patient Data; Healthcare Industry Lagging Behind HITECH Standards

TRAVERSE CITY, Mich. and PORTLAND, Ore. — November 9, 2010 — The latest benchmark study by Ponemon Institute, sponsored by ID Experts®, finds that data breaches of patient information cost healthcare organizations nearly $6 billion annually, and that many breaches go undetected.

ID Experts and Kivu Consulting Partnership Solves Data Breach Complexities

Investigation and Incident Response to Comply with All State and Federal Requirements; Free Webinar "How to Take Action When a Security Breach Hits" on Thursday, October 28


PORTLAND, OR. and SAN FRANCISCO, CA – October 14, 2010 – Responding to a data breach incident can pose immense complexities for any organization. Helping hospitals, universities, government agencies, and financial institutions get back to business post-breach is the driving force behind the partnership of ID Experts and Kivu Consulting, by effectively and quickly responding to a breach and complying with the 47 federal and state breach notification laws.

Assessing Security Incidents

Software Helps Measure the Impact

Healthcare Info Security, September 30, 2010

Healthcare organizations need to improve the methods they use to objectively assess the severity of a security incident and whether it should be reported, says David Parks, a privacy officer and attorney.

Latest Study on Healthcare and Data Privacy Will Be Previewed at IAPP Privacy Academy

BALTIMORE, MD. – September 27, 2010 – Attendees at the International Association of Privacy Professionals (IAPP) Privacy Academy will preview early findings of The Ponemon Institute’s latest research that examines healthcare providers’ compliance with the HITECH Act data breach privacy provisions.  They will also learn how to protect patients’ medical privacy and how to comply with the latest regulations.  Data breach and privacy experts, Dr. Larry Ponemon from The Ponemon Institute and Rick Kam from ID Experts, will lead the session “Are Healthcare Providers Really Compliant with HITECH Data Breach Provisions?” on Friday, October 1 at 8:30 a.m. ET.

Maine Court Limits Damage Claims in Data Breach Cases

Victims can't seek restitution unless they suffer actual losses, state Supreme Court says

By Jaikumar Vijayan, September 22, 2010, ComputerWorld

Maine's Supreme Court has ruled that consumers affected by the data breach at supermarket chain Hannaford Bros. in 2008 cannot claim damages from the company unless they suffered uncompensated financial losses or some other tangible injury.

ID Experts Releases RADAR, Tool for Compliance with Federal Healthcare Breach Rules

PORTLAND, Ore. - September 15, 2010 - More than four million patient records have been exposed this past year because of security breaches, according to the Department of Health and Human Services. Security breaches in healthcare involving patients' protected health information (PHI) are now commonplace, whether due to stolen servers or laptops, patient files found in dumpsters, deliberate abuse of system access, unintentional human error, or organized cyber attacks.

An overview of new data breach legislation proposals

by Rick Kam - President and founder, ID Experts - Monday, 23 August 2010 – Help Net Security - In the past two months, there have been two bills introduced in Washington, D.C. that are attempting to set nationwide standards for the security and privacy of consumers' personal information. There are already 46 different data breach notification laws in 46 states with somewhat different and inconsistent provisions regarding the notification of consumers.

VA Posts Data Breach Reports Online

Monthly updates show the different ways data has leaked out of the agency, including lost or stolen hardware and misdirected emails.

By Elizabeth Montalbano, InformationWeek , August 13, 2010

Once again showing that it's serious about transparency, the Department of Veterans Affairs (VA) has begun posting reports about data breaches on its website. The monthly reports, which the agency compiles for Congress, list different ways the VA has lost data, such as through lost hardware or misdirected emails.

Free Webinar on How to Protect Patient Records and Avoid Liabilities Under New Hippa Privacy Rules

PORTLAND, Ore. - July 26, 2010 - Strong new privacy policy for health IT is now underway to empower patients to have more control over their health records. These expanded HIPAA rules, published July 8 by the Department of Health and Human Services, provide a stricter enforcement environment for security breaches of protected health information (PHI). Legal and data breach experts, Powers Pyles Sutter & Verville PC and ID Experts, have partnered to provide a free webinar designed for healthcare providers and HIPAA covered entities and business associates on Thursday, July 29 at 10:00 a.m. PT.

App Helps Assess Data Breaches

From Health Data Management - HDM Breaking News, July 26, 2010 - Joseph Goedert - ID Experts, a Beaverton, Ore.-based data breach prevention and remediation firm, has introduced software to measure the risk associated with a breach.

ID Experts Announces RADAR™: A HITECH Risk Assessment Tool for Healthcare Security Breach Inci

PORTLAND, Ore. - July 21, 2010 - Whenever there is a security breach of any size involving protected health information (PHI), the healthcare industry is now required under the HITECH Act to complete an incident-specific risk assessment.

Data Breach Risks and Privacy Compliance: The expanding role of the IT Security professional

By Rick Kam - You have a meeting with your IT Executive. You learn that you are now designated as the company's "privacy officer," a newly created role with few parameters and little direct budget or authority. Yet this position also comes with high expectations and responsibilities, and a laundry list of worries. You are now responsible for maintaining the privacy of your customers' and your patients' personally identifiable information (PII) and protected health information (PHI). You take a deep breath. If it makes you feel any better, you are not alone.

39 Breaches in 1st Half of 2010, Experts Predict More Attacks

Linda McGlasson, Managing Editor, Bank Information Security, June 28, 2010 - Already in the first six months of 2010, financial institutions have been involved with more than half the total data breaches they suffered in 2009 - and experts don't see the pace decreasing.

Are You Ready for A Data Breach?

From Healthcare IT News, published in partnership with HIMSS - June 23, 2010 - Doug Pollack, Chief Marketing Officer, ID Experts –The handling of data breach incidents has become a way of life for healthcare providers and with other HIPAA covered entities. With the passage of the HITECH Act last year, there are now substantial penalties that can be levied, up to $1.5 million. This fact, combined with a requirement to notify the Department of Health and Human Services as well as the media for data breach incidents that affect over 500 individuals has, for the first time, resulted in public records being kept for such incidents.

ANSI: PHI Project: The Financial Impact of Breached Protected Health Information: A Business Case fo

The PHI Project Overview

Trust is the foundation of the health care delivery system. Organizations responsible for safeguarding protected health information (PHI)—guardians of trust—require, now more than ever, a solid business case for enhanced PHI security. The ANSI PHI Project, entitled The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security now provides the information and tools for the “PHI protectors” to make a more compelling business case for requesting investments and resources to strengthen privacy and security programs that will resonate in the C-Suite and in the board room.

Three Things you may not know about the HITECH Act

From Healthcare IT News, published in partnership with HIMSS, June 16, 2010 - Mahmood Sher-Jan, Senior Director of Product Management, ID Experts –There has been much discussion around the HITECH Act and what it means since the enactment of ARRA last year. It is now widely known that the Department of Health and Human Services has issued regulations for breach notification by covered entities under HIPAA. Yet unlike the poor enforcement record of HIPAA regulations, the new HITECH Act provides for substantial financial penalties for failing to comply with these rules. And we are seeing these penalties are actually starting to be enforced.

ID Experts Moves Offices in Portland to Accommodate Growth

PORTLAND, Ore. - April 22, 2010 - With data breach risks and identity theft on the rise, protecting personal information is even more important, both for organizations entrusted with this data as well as individuals themselves. And the future of healthcare dictates the use of electronic medical records, raising fresh concerns of medical identity theft. Portland-based ID Experts, the leader in comprehensive data breach solutions that deliver the most positive outcomes, announced that it has moved and expanded its offices.

ID Experts Leads Privacy and Data Breach Risks Sesssion

BEAVERTON, Ore. – April 13, 2010– Protecting personal information in healthcare and ensuring compliance are top of mind with privacy professionals, especially with enforcement of HITECH Act data breach provisions now underway. At this year's International Association of Privacy Professionals (IAPP) Global Privacy Summit in Washington, D.C., the world's largest gathering of privacy professionals, hear from ID Experts and Wiley, Rein as they offer insights on how to reduce data breach risks; data breach prevention and risk mitigation strategies; and HIPAA/HITECH legislation.

How some ex-employees turn to cybercrime

By Alejandro Martínez-Cabrera, Chronicle Staff Writer - Thursday, April 8, 2010 –When a slumping economy and historically high unemployment rates dropped the ax on the country's workforce and left the survivors wondering if - or when - they'd be next, law enforcers and security experts braced themselves for what they considered would be an almost inevitable rise in data breaches and high-tech crimes. And they were right.

Laptops with medical data stolen

By Victoria Colliver, San Francisco Chronicle Staff Writer - Wednesday, April 7, 2010 – The theft of two laptops containing sensitive health information about more than 5,000 patients in the John Muir hospital system is just one of a number of recent incidents involving stolen medical data.

ID Experts Announces Comprehensive Healthcare Data Breach Solution

BEAVERTON, Ore. – February 16, 2010– ID Experts®, the leader in comprehensive data breach solutions that deliver the most positive outcomes, today announced the first data breach solution for healthcare organizations that protects affected patients from medical identity theft.

ID Experts and InGuardians Present “Devious Developer” Talk at RSA Conference 2010

BEAVERTON, Ore. – February 16, 2010– Data breach conventional wisdom is that attacks originate as an insider or from a malicious outsider. What happens when the compromise is a hybrid of these incidents, where attackers possess intricate knowledge of the systems they are exploiting? Hear from ID Experts and InGuardians as they present "Devious Developer: Lessons and Responses to a Real-World Hybrid Attack" on Thursday, March 4, at 1:00 p.m. PT at RSA Conference 2010.