10 of the largest data breaches in 2012 … so far
June 5, 2012 in Medical Technology
We’re six months into 2012, and numerous headlines have showcased some large health data breaches. Whether it’s outright theft, the actions of a disgruntled employee or overall carelessness, 2012 is already chock-full of noteworthy breaches. And according to recent research, the problem is only growing.
Here are 10 of the largest data breaches in 2012… so far.
1. Utah Department of Health. On March 30, approximately 780,000 Medicaid patients and recipients of the Children’s Health Insurance Plan in Utah had personal information stolen after a hacker from Eastern Europe accessed the Utah Department of Technology Service’s server. Initially, the number of those affected stood at 24,000, yet, according to UDOH, that number grew to 780,000, with Social Security numbers stolen from approximately 280,000 individuals and less-sensitive personal data stolen from approximately 500,000 others. The reason the hacker was able to access this information? Ultimately, it was due to a weak password.
2. Emory Healthcare. On April 18,Emory Healthcare in Atlanta announced a data breach after the organization misplaced 10 backup disks, which contained information for more than 315,000 patients. The 10 disks held information on surgical patients treated between 1990 and 2007 at Emory University Hospital Midtown and the Emory Clinic Ambulatory Surgery Center. Of the 315,000 patient files, approximately 228,000 included Social Security numbers, with other sensitive information at risk including names, dates of surgery, diagnoses, and procedure codes.
3. South Carolina Department of Health. An employee of the South Carolina Department of Health and Human Services was arrested on April 19 after he compiled data on more than 228,000 people and sent it to a private email account. Approximately 22,600 people had their Medicaid ID numbers taken, which were linked to their Social Security numbers. Others had names, addresses, phone numbers, and birth dates stolen as a result of the act. The former employee, Christopher Lykes Jr., was charged with five counts of violating medical confidentiality laws and one count of disclosure of confidential information.
[See also: 12 steps for surviving a privacy breach investigation.]
4. Howard University Hospital. Toward the end of March, Howard University Hospital in Washington D.C. notified approximately 34,503 patients of a potential disclosure of their PHI that supposedly occurred in late January. A laptop, which was password protected, was stolen from a contractor’s vehicle, yet, according to the hospital, no evidence suggested any patient files were accessed. The records stolen did contain Social Security numbers for many of the patients affected. Today, the hospital requires all laptops issued to Howard University Health Sciences employees to be encrypted.
5. St. Joseph Health System. In February, St. Joseph Health System, in California, alerted approximately 31,800 patients of a possible security breach at three of their organizations throughout the state. According to the system, security settings were “incorrect,” which allowed for the potential breach. Information accessed didn’t include Social Security numbers, addresses, or financial data, yet patients’ names and medical data were vulnerable. The records at risk were mostly for inpatients who received care from February through August of 2011. The data, the organization said, would have been available through Internet search engines from early 2011 to February 2012.
Continued on the next page