Business Week reports that medical ID theft is on the rise. There were more than 275,000 cases of medical information theft in the U.S. last year, twice the number in 2008, according to Javelin Strategy & Research, a Pleasanton, California-based market research firm. The average fraud cost $12,100, Javelin said. Given that about 44 percent of U.S. doctors used some form of electronic records last year, according to the National Center for Health Statistics, such theft is not surprising.
Individuals are using stolen information to file false claims. Criminals also set up fake clinics to bill for phony treatments, according to Pam Dixon, founder of the World Privacy Forum, a non-profit consumer-research group based in San Diego, California, which has worked with more than 3,000 victims. Thieves also may impersonate a patient, like in Morgan’s case, and some medical workers download records to sell, she said.
The economic stimulus bill of 2009 includes $2 billion to create a national system of computerized health records and as much as $27 billion over 10 years in payments to Medicare and Medicaid providers who adopt the technology, according to the Department of Health and Human Services. The purpose of creating the digital files was to improve care and help lower costs, but digitizing these files makes the information more vulnerable to theft or hacking.
Insurers are working on improving technology to spot false claims, but better standards are needed. The government is considering new regulations to enhance privacy and security of health information, said David Blumenthal, national coordinator for Health Information Technology at the Health and Human Services Department. Precautions, such as adding photos to patient records are being adopted by by some medical facilities.
Given the mobility of the current population, it makes sense that a person’s medical records are available whether you are seeking treatment while living in Boston or need emergency care while vacationing in California. Efforts need to be made by the medical community to take all necessary safeguards to protect patient data and to ensure that the software used to store such sensitive patient information is as secure as possible.
Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.
Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.
To read more, see the complete story on wired.com.
A mortgage broker who discarded consumers’ personal financial records in a publicly- accessible dumpster paid a $35,000 civil penalty to settle Federal Trade Commission charges.
According to an FTC complaint filed in December 2008, the defendant improperly disposed of about 40 boxes of sensitive consumer records collected by companies he had owned, including tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers’ licenses, and at least 230 credit reports. In addition, two mortgage brokerage companies he previously owned failed to provide reasonable and appropriate security for sensitive consumer information, despite promising they would do so.
In addition to the $35,000 penalty, the settlement order also provides that the defendant is barred from misrepresenting measures taken to protect sensitive consumer information and failing to take reasonable measures to protect credit report information during its disposal. The order also requires the defendant to employ a comprehensive information security program for sensitive consumer information, and to hire an independent, third-party security professional to review the program every year for 10 years to ensure that it meets or exceeds the order’s requirements.
To read the compete FTC Press Release on the settlement, click here.
Connecticut Attorney General (AG) Richard Blumenthal announced that he is suing Health Net of Connecticut for a data breach resulting in the exposure of patient medical records and financial records of 446,000 Connecticut enrollees, which were allegedly stored on an unecrypted portable computer disk drive that disappeared from the company’s office in Shelton, Conn on or about May 14, 2009.
This case will mark the first action by a state general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorizes state attorneys general to enforce HIPAA.
For more information about this data breach, click here for the complete story on HealthImaging.com.
On December 17, 2009, Heartland Payment Systems announced that it would pay American Express $3.6 million to resolve charges stemming from a 2008 breach of Heartland’s payment system network the AP reported.
Heartland’s data breach was the result of hackers using installed spying software on Heartland’s computer network. These hackers also attacked 7-Eleven and Hannaford Brothers Supermarkets. The Department of Justice allege that these hackers managed to steal more than 130 million credit card numbers from Heartland and about 4.2 million from Hannaford.
Heartland has still not reached resolution of its disputes with other card brands, such as Visa and MasterCard, arising out of this data breach, but clearly, such additional settlements will cost Heartland additional millions.
If you or your company have “personal information” concerning any Massachusetts resident (including information about your own employees), be prepared for a significant undertaking than may well effect the way you do business. The Commonwealth of Massachusetts has issued regulations pursuant to the state’s data breach notification law, and they are slated to go into effect on January 1, 2008. And while the notification law is largely consistent with the laws enacted by most other states, the regulations truly set Massachusetts apart.
The new regulations require any entity that maintains “personal information” regarding any Massachusetts resident to develop and implement a comprehensive, written information privacy plan that details how such information will be protected and secured. The business must also designate an employee to be responsible for the plan. This much might have been expected.
What sets the Massachusetts regulations apart, however, are their scope and specificity. The regulations list no less than twenty separate requirements for the plan, which mandate steps such as the training of all employees, the encryption of personal data on all laptops and mobile devices, the certification of all third-party service providers to ensure their appropriate treatment of personal information, and the institution of systems to monitor for data breaches and implement appropriate anti-virus software and up-to-date security patches.
The regulations purport to apply to anyone holding personal information about Massachusetts residents, whether or not they themselves operate or do business in Massachusetts. As an initial matter, this covers virtually every business with a Massachusetts employee, since the combination of names and Social Security numbers qualify as “personal information.” Companies outside of Massachusetts that process Massachusetts’ residents personal information — which would include virtually every retailer — are also within its scope. Further, service providers who work with any such companies will effectively be forced to comply with the regulations as well, since covered entities may only share personal information with service providers who themselves are compliant with the new mandates. Lawsuits regarding the extra-jurisdictional reach of these regulations are sure to come.
At a recent Boston Bar Association event, David Murray — the general counsel of the Massachusetts agency responsible for the new regulations — responded to questions regarding them. His responses indicated that they are, indeed, as broad as their language suggests. For example, Murray’s view is that existing long-term agreements with third-party service providers are subject to the regulations, which essentially means that relationships between Massachusetts companies and the vendors they use to handle “personal information” will likely require additional due diligence and potentially a renegotiation of contract terms. Murray, responding to comments pointing out how dramatic changes will be required by the new requirements, said simply “The regulations will not fit in with what is currently being done.”
Given the rapidly approaching January 1 deadline and the enormity of the task at hand, many believe that the Commonwealth will have little choice but to delay enforcement for six months or more. Further, the Attorney General’s Office, which will be in charge of enforcing the regulations, may take a “go slow” approach to clamping down. However, businesses should not dawdle in attacking this issue: First, implementation of the new information security plan will take time and resources, and even a six month delay in the deadline will not give much breathing room. Second, independent of the AG’s enforcement strategy, the new regulations may well become a de facto standard against which hacked businesses are measured in civil suits. Business who find that customers’ credit card and financial account information has been lost or hacked may find themselves fielding more questions about their compliance from class action trial lawyers than from the Attorney General’s Office.
The system is screaming for a unification of the more than forty different regimens being implemented by various states across the country. Whether these regulations are sufficiently bold as to move Congress to act has yet to be seen, but the election and the financial crisis may well leave data security legislation as a low priority at the federal level. The prudent businessperson will neither assume that the Commonwealth will delay implementation of these regulations for any substantial period of time, nor rely on the federal cavalry to ride in at the last minute to save the day.
Below is a white paper detailing the regulations in more detail:
The Department of Justice issued an indictment involving the hacking of computer systems of nine major U.S. retailers. It purports to be the largest such case ever brought by the Department.
The indictment, brought in Boston, alleges that one Albert Gonzalez and others used a sophisticated attack that involved breaking into the retailers’ wireless networks and subsequently stealing credit card and other information using “sniffer” programs. The retailers involved include Barnes & Noble, BJ’s Wholesale Club, Boston Market, DSW, Forever 21, OfficeMax, Sports Authority, and TJX Companies. Their actions allegedly involve the theft of more than 40 million credit card numbers, some of which were sold on the Internet and some of which were used to create counterfeit cards to “cash out” the accounts.
The Department of Justice has issued a press release, which can be found here. The indictment itself is available below:
The United States Court of Appeals for the Third Circuit has issued a ruling in Sovereign Bank v. Fifth Third Bank and BJ’s Wholesale Club, Inc., exploring the relative responsibilities and obligations of banks involved in credit card security breaches. It addresses the complex relationships between the credit card company (here, Visa), the banks who issued the credit cards (“Issuers,” such as party Sovereign Bank), the retailers who accept the credit cards (“Merchants,” such as BJ’s) and the banks who work with the Merchants to process credit card transactions (“Acquirers,” such as party Fifth Third Bank). The relationships are governed in part by Visa’s Operating Regulations, which set out standards regarding the use and retention of credit card information.
Generally, losses resulting from fraudulent credit card charges are the responsibility of the Issuing Bank, but that liability can shift to the Acquirer if it resulted from the Acquirer’s violation of Operating Regulations. Sovereign, an Issuer, claimed that happened because Fifth Third’s merchant, BJ’s, failed to destroy information gleaned from customers’ swiped credit cards after it had been used.
The decision explored in depth whether the contractual relationship between Visa and Fifth Third was intended to benefit Issuing Banks such as Sovereign, giving them a right to sue. The Third Circuit, overturning the lower court, concluded that Sovereign could at least make the argument. It also held, however, that Sovereign could not sue BJ’s for negligence, since the losses were purely economic and there was no “third party beneficiary” argument it could construct to reach the retailer.
The matter has been sent back to the lower court for further proceedings. The decision may be found here:
A recent study by researchers at the Heinz School of Public Policy at Carnegie Mellon University questions whether data breach notification laws are effective in reducing identity theft. According to a research paper on the issue, identity theft accounted for losses of $56 billion in 2005, with 30% of those thefts resulting from data breaches. More than 40 states have passed laws calling for consumer notification in the event of a known breach to combat the problem, but the research concludes that “data breach disclosure laws reduce identify thefts by 5 for every 10 million people,” a number it describes as “not statistically significant.” While the paper also notes that such laws may account for a reduced magnitude of losses, or increased security vigilance by business, it does strongly suggest that the wave of data breach notifications laws are far from a silver bullet. We can expect hacked servers and stolen laptops to pose a risk for businesses and consumers for some time to come.
