Data breaches continue to impact all types of organizations, but it's possible no industry has been more affected than the healthcare sector. Cybercriminals are frequently targeting healthcare providers with more sophisticated tools, hoping to gain access to a wealth of valuable patient information like Social Security numbers, medical records, credit card data and other identifiable information.
The migration to electronic health records (EHRs) has helped many medical organizations improve collaboration, reduce costs and enhance patient care, but security remains a top concern. The Utah Department of Health (UDOH) recently fell victim to a massive data breach when hackers accessed a computer server containing the personal information of Medicaid clients and Children's Health Insurance Plan (CHIP) recipients. UDOH joins a growing list of public and private health organizations that have suffered damaging data breaches in recent months.
"We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised," said UDOH deputy director Michael Hales. "But we also hope they understand we are doing everything we can to protect them from further harm."
The Utah Department of Technology Services (DTS) and UDOH originally said on April 4 that the incident involved the exposure of 24,000 Medicaid claims, which generally include client names, addresses, birth dates, Social Security numbers, insurance information and other private data. However, two days later the DTS and UDOH announced the breach was more widespread than first thought, as the hackers potentially had access to the information of more than 180,000 Medicaid and CHIP recipients. Of those victims, 25,096 had their Social Security numbers compromised.
The damage estimate then expanded for a second time on April 9 when authorities revealed the breach actually included about 780,000 victims, of which 280,00 likely had their Social Security numbers stolen and 500,000 had less-sensitive personal information exposed.
"The data breach initially occurred on Friday, March 30," the Utah Health Department said in a press release. "A configuration error occurred at the password authentication level, allowing the hacker to circumvent DTS's security system. DTS has processes in place to ensure the state's data is secure, but this particular server was not configured according to normal procedure. DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again."
In today's healthcare landscape, physicians and other employees use mobile devices, cloud computing, electronic health records and virtual servers to store, manage and transfer sensitive patient data, Although these technologies provide several advantages and are necessary for the modernization of healthcare, medical organizations must implement stronger security policies and better data protection solutions and comply with regulatory standards.
With more devices now in play, healthcare providers should consider protecting critical endpoints and data with industry-leading technology. Based on the Department of Health's explanation, it appears that stronger access control and data encryption could have prevented the hackers from accessing the server and using the client information in any way.
The UDOH breach is one of several similar incidents in the healthcare industry during the past year. Nonprofit group Privacy Rights Clearinghouse recently examined the six worst data breaches of last year, three of which involved health information. According the PRC, the breach of Sutter Health was the third-worst of 2011, as 3.3 million patient records were exposed when a desktop computer containing unencrypted data was stolen. The report also cited the Health Net and Tricare data breaches, which impacted about 7 million people combined.
Data Security News from SimplySecurity.com by Trend Micro