Don’t be next: Lessons from 5 recent health data breaches

Five hospitals recently suffered breaches of patients’ protected health information. Here are some lessons your organization can learn to avoid being next. 

The most prominent IT security threat healthcare organizations face right now, based on several recent incidents, is the theft of laptops, USB drives and other mobile computing devices containing patients’ information.

Over the last few weeks, at least five hospitals have reported data breaches involving the theft of a computer or other device from their facilities or an employee’s home. In total, the breaches may have affected more than 26,000 patients.

In the most recent incident, Stanford Hospital officials announced that a computer containing patient information was stolen from a doctor’s locked office in mid-July. The computer contained data about roughly 2,500 patients, including names, locations of service and medical record numbers, and possibly treatment histories, birth dates and Social Security numbers for some patients.

The computer was password-protected and contains tracking software that should show it’s location when it’s turned on and connected to the Internet, university officials said. So far the machine hasn’t been detected, but patients have been notified as a precaution.

In an incident earlier in July, information about 14,000 Oregon Health & Science University Hospital patients may have been jeopardized after a USB drive was stolen from an employee’s home. Hospital officials said the employee had accidentally taken the drive home in a briefcase after work. The device was being used to move the information from one computer system to another.

The data was password-protected and did not include the kinds of information typically used in identity theft, hospital officials said, but 700 patients have been notified of the breach because their information was more sensitive than the others’.

While it appears the information involved in those data breaches was encrypted and locked behind passwords, other recent IT security incidents involved data that was not as well protected.

In a breach at Beth Israel Deaconess Medical Center in Boston, a doctors’ personal computer was stolen after he had loaded it with information about 3,900 patients. All hospital-owned computers were encrypted, but the doctor’s personal laptop wasn’t.

Shortly after that was made public, Hartford Hospital in Connecticut reported a breach in which an employee of a data analysis firm the hospital had contracted with had a work laptop stolen during a home burglary. The data wasn’t encrypted and included information about nearly 10,000 patients.

Around the same time, Northwestern Memorial Hospital in Chicago reported an incident in which six laptops and tablets were stolen from its main offices, containing information about an undisclosed number of patients.

Normally, the information would have been protected by several security controls, hospital officials said, but those controls were suspended at the time of the theft because the computers were receiving software upgrades.

Prevent data breaches involving mobile devices

As doctors and other employees do more of their work on laptops, tablets, smartphones and other mobile devices, healthcare providers will be at greater risk of IT security breaches occurring because those devices are stolen.

What can organizations do to minimize that risk? Here are five lessons that can be learned from those recent breaches:

1. Have a policy about taking information home. As computing devices become more portable, more doctors and other employees are taking patients’ sensitive information home with them. And many healthcare data breaches have involved devices being stolen from people’s homes, cars, or other places. It’s a good idea to have rules preventing sensitive data from leaving the organization’s premises.
2. If you allow the use of personal devices, have a plan to secure them. After its data breach, Beth Israel instituted a policy requiring personal devices to be encrypted and have other security controls installed by the hospital before they are used to access any sensitive data.
3. Delete data when it’s no longer needed. For example, unnecessary extra copies made during a back-up shouldn’t be held onto for longer than is needed. The more copies of information that exist, the more chances there are for it to be stolen.
4. Keep offices physically secure. As laptops become the norm for computing, it’s becoming easier for criminals to break into an office and walk out with a lot of valuable data. Healthcare organizations must invest in physical security controls and regularly audit the security of their premises.
5. Make sure third parties are also secure. With any security plan, it’s important for healthcare organizations to not only take the steps themselves, but to make sure any third party they work with is doing so, as well.