News Feature | May 13, 2015

Data Breach Compromises PHI Of 39,000 At Seton Healthcare Family

Christine Kern

By Christine Kern, contributing writer

6 Security Laws IT Solutions Providers Should Know

Healthcare provider emails are far less secure than other industries.

Seton Healthcare Family, a Texas-based non-for-profit health system, has announced in December 2014 hackers targeted employee usernames and passwords in an attempt to gain access to personal health information (PHI) of patients. Seton was notified of the breach on February 26, 2015.

Seton is notifying those who were affected by mail and through local media outlets and is offering identity monitoring and protection services to those whose Social Security numbers were compromised. “We value the privacy and security of protected information, and we are committed to protecting the confidentiality and privacy of our patients and employees,” said Jesús Garza, Seton Healthcare Family president and CEO. “It is our priority to support those who have been affected. The organization is taking all necessary and appropriate steps to prevent a recurrence.”

Garza further explained Seton will continue to implement administrative, technical, and physical safeguards against unauthorized access of protected information.

An investigation determined the PHI of around 39,000 patients had been compromised via an e-mail account. Once Seton was notified of the breach, the user name and passwords for the affected email account were deactivated. Information gained by the hackers includes names, addresses, birth dates, medical record numbers, insurance information, clinical information, and Social Security numbers.

As Health IT Outcomes noted, a report from Agari found healthcare is dead last in terms of security, and that could mean costly consequences. Agari survey statistics demonstrate healthcare providers have the lowest “TrustScore” when it comes to keeping online communication secure. According to the survey report, an e-mail from a healthcare provider is “four times more likely to be fraudulent than one that is purportedly from a social-media company like Facebook.”

Protecting healthcare organizations against breaches of sensitive patient data should be a top priority for industry CIOs. Ken Kaufman, Solutions Consultant – Healthcare Information Security, Del, told The Institute for Health Technology Transformation, “Healthcare is certainly behind – and it’s not just a timely answer given the recent news regarding recent high-profile breaches that have affected millions of patients. Technology is radically changing the healthcare industry.

“Already a primary target for cyber attacks, the increasing number of healthcare apps and devices, coupled with the growing popularity of BYOD initiatives has added to the complexity of managing end-to-end security in the healthcare ecosystem. (CIOs must recognize) Outside attacks are only one type of threat. Healthcare institutions must account for the human element of security – the network and data risks posed by users’ actions either maliciously or unintentionally.”

Kaufman adds, “To protect against underestimating the impact of a breach, one need only be mindful of the lessons learned by organizations that have suffered data breaches, where the cost of a single breach can average 20 times the cost of fines and penalties. These can include the costs of security program remediation, identity theft insurance, credit monitoring, legal costs, and individual and class action civil suit awards, to name a few.”

And while budgets are always tight, Kaufmann says, “Every dollar spent on developing and maintaining a robust security program for your organization should be considered money paid into an insurance program of risk mitigation and potential liability reduction.”