Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions

Recent Disclosed Cyber Attacks Highlight Healthcare Data Risks

Recent Disclosed Cyber Attacks Highlight Healthcare Data RisksIn the past couple of weeks, at least three organizations in the healthcare industry have disclosed data breaches that affected patients, underscoring the relentless cyber risks that this segment faces. The first disclosure came from CareFirst BlueCross BlueShield in which a cyber attack affected an estimated 1.1 million people. The next victim of an attack was Cleveland-based MetroHealth System, which is in the process of notifying almost 1,000 patients who received heart catheterization procedures at the hospital over the past year that their protected health information may have been accessed when three computers were hacked there. The third incident occurred at three Bergen County, New Jersey hospitals in which thousands of patients have been alerted that their personal information was stolen by a billing clerk in a data breach being investigated by federal authorities.

The CareFirst attack occurred in June of last year, and targeted a single database that contained information about the healthcare’s members and others who accessed its websites and services.  According to the company, customer names, birthdates, user names, email addresses and subscriber ID numbers may have been stolen. The database did not contain Social Security numbers, medical claims or financial information. Moreover, according to CareFirst, member passwords were encrypted and stored in a different system.

CareFirst’s disclosure marks at least the third time this year that a large health insurance company has reported a data breach, with experts continuing to warn that medical records are increasingly sought by hackers. Anthem, formerly known as Wellpoint, said in February that upwards of 78.4 million records were at risk after hackers accessed one of its databases. The breach exposed names, birth dates, Social Security numbers, addresses, phone numbers, email addresses and member IDs, as well as some employee records and income levels. Only five weeks after Anthem’s disclosure, Premera Blue Cross said information including bank accounts and clinical data going back to 2002 may have been compromised in an attack that affected up to 11 million people.

MetroHealth System discovered “malware” or malicious software on three computers in its Cardiac Cath Lab, according to a statement on May 15. The software was discovered March 17 on only those computers, and affected patients who had procedures in the lab between July 14, 2014 and March 21, 2015. According to an article in Cleveleand.com, it took a few days after the initial discovery of the software and its removal on March 18 to find an additional component of the virus that allowed for “back door” access to the computers, should the original software be removed. The “back door” access to the computers was removed March 21, the health system said.

MetroHealth Systems’ computers did not contain financial information, according to the company. The information included on their system included patient name; date of service; date of birth; height; weight; medications administered during the procedure; medical record number; case number (limited to only to that procedure); and cardiac catheterization raw data such as tracings of EKG and oxygen saturation. The health system is in the process of notifying all the affected patients.

The Bergen County hospitals affected in the third disclosed breach involve The Valley Hospital in Ridgewood, Englewood Hospital and Medical Center, and Holy Name Medical Center in Teaneck. An employee with a company that handles billing for emergency department physicians at these hospitals illegally passed on the names, Social Security numbers and birth dates of patients, officials said. The scope of the breach still remains unclear. The billing company, Medical Management LLC, based in North Carolina, has contracts with 40 providers across the nation and thousands of patients at White Plains Hospital in New York and the University of Pittsburgh Medical Center have also been warned that their personal information had been compromised. The employee allegedly involved in the thefts worked at Medical Management from February 2013 until March 2015, when the breach was discovered. The company is offering those who were affected free credit protection services.

Again, the continued attacks on medical facilities, including physician offices and health insurers, highlight the urgency for organizations to further beef up security and to ensure they have adequate Cyber Liability/Privacy & Security insurance to address the costs involved in dealing with a breach. Cyber insurance policies are designed to cover the costs of notification, the price of a public relations firm, regulatory fines and helping to protect the reputation of the organization. The policies also covered third-party claims for practices that find themselves the target of a lawsuit as a result of the breach.

Axis Insurance Services specializes in Cyber insurance coverage for healthcare organizations and medical facilities and can help design a policy that meets your specific profile. Give us a call at (877) 787-5258 for more information.

Comments

comments

Blogged on: May 27, 2015 by Mike Smith
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions