News & Resources

Data breaches in health care raise concerns about identity protection

Oct 15, 2013 Dave King

Data breaches in health care raise concerns about identity protection

A recent string of information breaches in the health sector highlighted the continued need for stronger protection against identity theft among medical organizations.

The health center at Saint Louis University (SLU) in Missouri admitted that the private health information and Social Security numbers of 3,000 students had been compromised when an employee mistakenly emailed their account information to phishing scammers, Health IT Security reported.

However, the real target of the scam appeared to have been the official payment information of individuals employed by the SLU clinic. According to eSecurity Planet, unauthorized alterations were made to 10 employees' direct deposit accounts. So far, no fraudulent charges have been made on the accounts in question.

Health IT Security noted that in an effort to help concerned students whose information was breached, the university announced that it would be offering them a year of free identity theft protection and consumer credit data monitoring.

Trouble at Tennessee health provider

Meanwhile, in Tennessee, an unencrypted laptop containing the personal health information of 8,000 patients was stolen from the Hendersonville home of a finance department employee at Hope Family Health, according to The Tennessean. Stored on the laptop, which despite lacking encryption was protected by fingerprint verification and a password, were the names, dates of birth and Social Security numbers of individuals treated at the nonprofit health center since 2005, in addition to people who had never been seen by the clinic but had given their information during phone inquiries.

The Westmoreland, Tenn.-based medical provider was unable to recover the laptop or offer affected patients with identity-monitoring services, though it did move its data to an updated, encrypted server, the news source wrote. Nevertheless, a spokeswoman for a major consumer credit report provider recommended that individuals whose data was compromised should monitor their credit and financial information for a year or more, as identity theft often takes place at delays of many months.

Canadian province reels from public health breach
The wave of breaches also stretched to the United States' neighbor to the north. In the Peel municipality of Ontario, Canada, an unencrypted SD memory card containing the names, dates of birth and addresses of 18,000 who had participated in the region's Healthy Babies Healthy Children program was stolen from the car of a public health employee, The Toronto Star reported.

According to the source, news of the breach prompted the reevaluation of security protocols in the municipality. Emil Kolb, Peel region chair, apologized to affected residents, while Associate Medical Officer of Health Eileen deVilla pointed out that the storing of sensitive data on any unencrypted device is against official policy.

Breaches such as these were the topic of a recent conference in Washington, DC. The panel focused on medical identity theft among senior citizens, a growing problem that demands solutions. Half of all health care providers were subject to fraud enabled by the theft of health information in 2012.

Businesses of all kinds may want to take these and other examples as an opportunity to ensure the strength of their security solutions and remind employees about best information and identity protection practices.