The Security Scrutinizer with Howard Anderson

Breach Horror Stories Shared

Anecdotes Shed Light on Risks
Breach Horror Stories Shared

Several healthcare organizations have shared information breach horror stories that are enough to keep security officers awake at night wondering if similar incidents could happen on their turf.

The anecdotes are included in a white paper from FairWarning Inc. which promised its clients anonymity in exchange for sharing the gory details. If you're looking for new ways to help convince those who control the budget at your organization to invest more in breach prevention, consider sharing these details with them:

  • A senior physician at one practice hired several lower-paid junior physicians to enter notes in the senior physician's name, resulting in billing fraud.
  • An employee of a specialty hospital who owned an assisted living facility as a side business was mining information from the hospital's electronic health records to feed his own business.
  • Staff members of one metropolitan healthcare organization used a pharmacy dispensing system to self-prescribe oxycodone.
  • Several organizations, both rural and urban, reported staff used their electronic health record access to steal the identities of deceased patients to commit financial identity theft.

FairWarning advises healthcare organizations to conduct a benchmarking study before implementing a breach monitoring/prevention program to help measure improvement in preventing breaches. Its whitepaper offers several attention-grabbing benchmarking examples to illustrate just how common breaches really are, such as:

  • A 200-bed hospital with a few small clinics reported it was experiencing 24 confirmed breach incidents per month;
  • A physician practice with 20 clinics reported 29 incidents per month;
  • An integrated delivery system with multiple hospitals and clinics confirmed 125 incidents per month.

The anecdotal information on horror stories and the frequency of breaches is food for thought as you contemplate how to maintain patient privacy and comply with all the provisions of the HITECH Act -- and avoid its toughened penalties for HIPAA violations.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.