First it was stolen magnetic data tapes. Then it was a stolen laptop. Last week it was Eastern European computer hackers in Utah.
And now it’s an employee who transferred confidential patient information into a personal e-mail account, throwing the healthcare records of over 300,000 Medicaid beneficiaries in South Carolina out into the open and exposing them to possible theft of addresses, birth dates, phone numbers and Medicaid ID numbers, along with Social Security numbers in 22,604 cases where a Medicare number was linked to beneficiaries’ names, according to a story by Joseph Goedert.
That brings the total in just these four cases to close to 7 million patient records breached in the last six months. And it’s not just data being stolen. A recent study found that data breaches could be costing the U.S. healthcare industry between $4.2 billion and $8.1 billion a year, or an average of $6.5 billion. That’s you and me they’re talking about, because we pay for these thefts in higher health insurance premiums, and doctor and hospital bills.
Medicaid beneficiaries in six South Carolina counties were affected with this latest breach, when it was discovered that on April 10, an employee, since fired, transferred 17 spreadsheets dating back to Jan. 31, 2012, to a personal email account, according to Goedert’s story.
The typical recovery effort is usually an offer by departments of health of one year of credit and identity protection services, sometimes, as in the case of South Carolina, including a $1 million identity theft insurance policy.
Emory Healthcare in Atlanta is notifying 315,000 patients that protected information –including Social Security numbers for about 228,000 of them – was on 10 missing back-up disks for an obsolete computer system.
The disks contained data from an information system deactivated in 2007 about patients treated between September 1990 and April 2007, according to the delivery system. The patients were treated at Emory University Hospital, Emory University Hospital Midtown (formerly Emory Crawford Long Hospital) and the Emory Clinic Ambulatory Surgery Center.
Other information on the disks included names, surgery dates, device implants, surgeon and anesthesiologist names, and diagnosis, procedure codes and/or the names of the surgical procedures.
Emory has no evidence that information on the disks has been misused. It is offering affected patients credit and identity protection services through Kroll Inc. and conducting an inventory of all physical spaces across the system to ensure proper securing of data.
Edited by
Jennifer Russell
