April Healthcare Physical Security Breach Roundup & News

Keeping your organization secure starts with understanding the physical risks you face. That’s why Senseon brings you the most recent physical data breach announcements each month. If you’re interested in learning more about measures you can take to minimize the risk of your facility ending up on this list, we can help.

ShopRite Dumps 10,000 Patients’ Data

The personal information of almost 10,000 ShopRite pharmacy customers may have been jeopardized after an electronic device was disposed of improperly. Wakefern Corp., a cooperative of ShopRite stores, has begun sending out alert letters to customers in Millville, NJ who may have been affected. They report that they have “no evidence that any of the information has been accessed or misused in any way” and maintain that the likelihood of that happening is low. The data on the device was reportedly not encrypted but was protected by password. The ShopRite team will be working to prevent future incidents and providing security training for its pharmacy staff as well as strengthening its security policies.

Laptop Theft Jeopardizes Student Insurance Info

The California College of the Arts reported that earlier this year, an employee laptop was stolen from their vehicle. The employee quickly reported the device as stolen to both college staff and local law enforcement. Passwords were changed, and the college began monitoring the laptop for signs of activity in an attempt to wipe the device remotely. As last reported, there were no indications that laptop was connected to the internet. No evidence of misuse has been found, but it has been determined that the files on the device may have contained a combination of names, social security numbers, dates of birth, member numbers and/or health insurance information.

Maine Medical Center Loses External Hard Drive

Eastern Main Medical Center began the process of notifying 660 patients of the potential threat to their information after a portable external computer hard drive was found to be lost from its State Street Campus. The device included information from cardiac ablation patients who received service at the center between January 3, 2011, and December 11, 2017. The device included names, dates of birth, dates of service, record numbers, condition descriptors, and procedural images and was owned and operated by a third-party vendor. The risk to information is reported to be low, but the medical center has mailed notification to all patients via mail.

Detroit Loses Data on 511 Individuals

The City of Detroit is offering free credit monitoring to over 500 individuals, including juveniles, whose medical or personal information was unable to be located for about two weeks. City officials report that a health department worker lost a flash drive which was later found in the employee’s bag. It appears that no information was compromised, but the health department and Department of Innovation & Technology have notified anyone impacted and offered free credit monitoring through Experian for 12 months.

News

Risk Mitigation Gets Highlighted at HIMSS

“Compliance is not Security” was a key theme at HIMSS18, with multiple presenters taking time to highlight that fact. The importance of a mature approach to security that’s rooted in company culture and comes from the top down was consistently emphasized at the conference. The Identity Theft Resource Center reported that the healthcare sector topped the list of breached sectors in 2017, coming in at 28 percent of total breaches. It is primarily thought that this is true because of the limited security resources available in the industry. The need for security awareness and culture that goes beyond checklist-style activity was emphasized as a key to addressing the vertical’s security challenges.

Report Highlights Healthcare’s Unique Danger of Insider Threats

Verizon has taken a second look at its Data Breach Investigations Report (DBIR) paying specific attention to healthcare’s unique profile and security issues with a focus on PHI. It found that healthcare is the only industry in which internal actors posed the biggest threat to an organization. These actors are primarily motivated by financial reasons (tax fraud, opening lines of credit), but also by fun and curiosity or convenience. Additionally, over a quarter of the incidents reported were related to PHI printed on paper, including prescription information, billing statements, discharge papers, and filed copies of ID and insurance cards. Another 21 percent of incidents involved lost and stolen laptops that contained unencrypted PHI.

April 5th, 2018|Blog, Industry|