Massive HIPAA Data Breach Response: Too Little, Too Late?

Community Health Systems, which runs 206 hospitals across the United States, recently announced that hackers had broken into its systems and stolen data on 4.5 million patients. The hackers had access to the patients’ names, addresses, birth dates and Social Security numbers, putting the patients at risk of identity theft. Thankfully, the hackers did not gain access to patient medical histories or credit card information.

According to cnet.com, the hackers appear to have been based in China, and allegedly used sophisticated malware that infected the hospital’s computer systems in April or June of this year to collect the data. Soon after the breach, the hospital system announced it had wiped the malware from its system and put security measures in place to protect against attacks from happening again in the future.

Specifically, the attack reportedly used the Heartbleed OpenSSL vulnerability. Why the Community Health Systems computers hadn’t been fixed to protect against the vulnerability is unclear, as a patch for the Heartbleed problem was released in April 2014 under wide-spread publicity.

The hospital system says it carries liability insurance to protect itself against the consequences of data breaches. Under HIPAA, individual patients who have had their data stolen will be notified of the theft. Despite this notification, it is possible that the patients will sue the hospital system for negligence. Unfortunately, since the data breach occurred, there is little that patients can do at this time to protect themselves against identify theft other than remain vigilant.

Despite the fact that the healthcare industry deals with more personal information that any other industry and that it has to comply with HIPAA security regulations, the healthcare industry lags behind most others in computer security. Healthcare related data breaches made up 43% of the total reported data breaches in 2013. This is because security issues in the healthcare industry are more complicated than in many other industries. Healthcare workers often share the same computer workstations, and may need to access individual patient files in a hurry. Not only that, but the general public can also easily gain physical access to most healthcare facilities. Even though the need for security experts is great, IT workers in the healthcare field are not paid well and may have less expertise in security than in other fields.

Hiring an outside firm with security expertise like Reclamere to assess your system is a very good idea. We offer a risk assessment service to evaluate your data-breach prevention measures and responses for vulnerabilities and problems. After all, it’s far better to protect against data breaches than to have to respond to them.

For more information on Reclamere and our services, contact us today.