News Feature | August 18, 2015

Healthcare Data Still Vulnerable As Another Breach Occurs

Christine Kern

By Christine Kern, contributing writer

6 Security Laws IT Solutions Providers Should Know

Medical informatics Engineering data breach affects 3.9 million individuals.

According a report released by the Identity Theft Resource Center (ITRC) and sponsored by IDT911, the number of U.S. data breaches tracked in 2014 reached a record high of 783, representing a substantial increase of 27.5 percent over 2013 and an 18.3 percent increase over 2010. The number of breach incidents tracked since 2005 also reached an unprecedented number of reported incidents involving an estimated 675 million records. Healthcare breaches have found their way to the top spot, accounting for 42.5 percent of the breaches identified in 2014.

As evidence of the continued threat of hackers to the healthcare industry, Medical Informatics Engineering announced a data breach has affected patients of Concentra, made up of 300 medical centers in 38 states and including Franciscan St. Francis Health in Indianapolis and Rochester Medical Group in Detroit. Nearly four million people could be affected.

The original detection of suspicious activity came on May 26, when the company immediately began an investigation to identify and remediate any security vulnerability. Notices were mailed to affected individuals on July 25, and the company is cooperating with a third-party team of experts in order to strengthen data security and protection. It is also working with law enforcement to trace the source of the breach.

The Medical Informatics Engineering announcement notes, “We are continuing to take steps to remediate and enhance the security of our systems. Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset.”

Affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics.

The ITRC attributed the rise of the medical/healthcare sector to the top spot to mandatory reporting to the Department of Health and Human Services. Adam Levin, founder and chairman of identity management and data breach program supplier IDT911, said he anticipates “more massive takedowns, hacks and exposure of sensitive personal information like we have witnessed in years past. Medical data and business information, like intellectual property will be prime targets, with cyber thieves looking for opportunistic financial gain based on black market value, corporate extortion, and cyber terrorism.”