Monday, April 29, 2013

Health Data Leaks

Attached an article published in the recent edition of the South Florida Business Journal titled " Breached: Health data security has sprung an expensive leak" highlighting the connection between the increasing identity theft and tax fraud in South Florida with the "leaky security" at healthcare facilities. Identify thieves and tax fraudsters are often purchasing patient data from employees in the healthcare services sector which are then being misused for fraudulent tax filings costing the federal government $5 Billion last year. As physicians we have to be part of the prevention and cure of this problem. Therefore, I do not collect social security numbers anymore in my office and safe all sensitive patient data on a secured server. Once I enroll a new patient into my practice my EHR creates an internal ID for identification purposes eliminating the need for recording the social security number. Unfortunately, Medicare is still imprinting the identification cards with the recipient social security number. This should be replaced with a tracking number which then has to be verified through a secured server accessible only by registered providers of healthcare services. This of course will not eliminate the human factor and the susceptibility for financial bribes and other incentives. But we must start today to stop identity theft. Breached: Health data security has sprung an expensive leak Brian Bandell Senior Reporter- South Florida Business Journal South Florida’s identity theft and tax fraud epidemic is often tied to leaky security at medical providers that fail to safeguard patient records. Fraudulent tax filings cost the federal government $5 billion last year, and South Florida is epicenter for this scam, said Wifredo A. Ferrer, U.S. attorney for the Southern District of Florida. Criminals could not file fraudulent returns without easy access to victims’ personal information. The identity thieves, often former street criminals, are willing to pay hundreds of dollars for each Social Security number, he said. The masterminds have “filing parties” where they teach others to do fraudulent returns in exchange for a cut, Ferrer said. “Hundreds of thousands of people go to hospitals and, if you have someone inside willing to sell your information for a couple hundred dollars, that will happen.” In the past few years, employees of Jackson Healthcare System, Memorial Healthcare System, Mount Sinai Medical Center, Boca Raton Regional Hospital and the Palm Beach County Health Department have been charged with stealing patient data to aid fraud schemes. Many other defendants worked for smaller local medical offices. In other cases, health care providers had data stolen or hacked by outsiders, Ferrer said. While his office is working hard to find criminals by tracking the IP addresses used to file bogus returns and the flow of stolen tax dollars, Ferrer is urging hospitals and doctor offices to secure the information. The U.S. Department of Health and Human Services requires health care providers and insurers to report data breaches affecting more than 500 patients and post it on the HHS website. Since this began in 2009, there have been 17 data breaches affecting 1.44 million people at health organizations serving South Florida. The largest breach was at Miami-based AvMed Health Plans, with 1.22 million records leaked from stolen laptops, which led to a lawsuit from its members. Still a problem 17 years after HIPAA Medical records were supposed to be safeguarded by the Health Insurance Portability and Accountability Act (HIPAA), which passed in 1996, but apparently, many providers still haven’t plugged the leaks. “This will keep happening because many health care companies don’t have good internal controls, don’t have physical controls to prevent them from walking out with records and don’t have proper security awareness and training for employees,” said Silka Gonzalez, president of Miami-based Enterprise Risk Management, which helps companies with data security. Banks take a more aggressive approach to data security because regulators have been tough on them, but the health care industry hasn’t been under as much pressure, Gonzalez said. They’re more interested in investing in patient care than data security. “If some hospitals are far from having the best security possible, forget about small practices,” Gonzalez said. “They won’t have any security in many cases.” The government is trying to show that HIPAA compliance is serious, but so few doctors have been fined over the years that the chances of getting penalized are pretty slim, said Luis Salazar, a partner with Miami-based Salazar Jackson, which has a data privacy law practice. Salazar said he was a victim of tax fraud, but he was able to sort it out fairly quickly and file his tax return. “Most people realize they are victims in the first three or four months, but 20 or 25 percent don’t catch onto it for three or four years,” Salazar said. The Social Security number should only be available during billing and intake, but Salazar has seen hospitals that have multiple terminals with patient information available to all employees. In response to the data theft by its former employee, Boca Raton Regional Hospital enhanced its security to block out full Social Security numbers from patient records, conduct random workspace audits of records security and additional employee training on HIPAA, spokesman Thomas Chakurda said. Electronic records make theft easier The push to use electronic medical records had the unintended consequence of making data theft more efficient, said Alan Brill, senior managing director for New York-based Kroll Advisory Solutions. “If you want to steal 5,000 sets of identity, it might take days to copy it from physical files, and someone might notice,” Brill said. “Now it’s on a computer and it may be no more difficult than putting in a USB key or staying late and printing things.” Brill worked a case where a hospital technician replaced a backup DVD with a blank DVD, copied the entire set of patient records and made counterfeit credit cards. Two Palm Beach County Health Department employees were arrested in February for stealing more than 2,800 patient records for a tax fraud scheme. PBCHD spokesman Tim O’Connor said the employees, who worked in the medical records department, targeted patients born between 1991 and 1996 because they could claim the youngsters were dependent on their parents and claim a big refund. The health department has since put safeguards in place – such as replacing Social Security numbers with independent patient numbers, O’Connor said. Only financial counselors will have access to Social Security numbers, he added. Miami attorney Mark A. Dresnick, who represents health care providers in HIPAA cases, said he would not give providers his Social Security number unless there is a valid reason because he doesn’t want it stolen. “My suspicion is that a lot of the tax fraud is coming from doctor offices due to theft of Social Security numbers by receptionists and clerical staff,” Dresnick said. HHS has become tougher with penalties and has targeted smaller providers, Dresnick said. In Massachusetts, an ear and eye clinic was fined $1.5 million after a data breach. Dresnick said regulators would be less forgiving of medical offices that ignore HIPAA training for employees and don’t take sufficient steps to secure data. HIPAA expands beyond health providers A new rule expanded HIPAA compliance for patient record security to companies that provide services to the industry. Jorge Rey, associate principal and director of information security and compliance at accounting firm Kaufman, Rossin & Co., said this includes consultants, medical records storage companies, law firms, collection agencies. If there is a data breach or lax security, they could face monetary penalties, he added. Brill added: “You’re not a security company, yet you have the responsibility for doing the right thing.”

No comments: