Healthcare Technology Featured Article

March 11, 2014

IT Security and Healthcare: A Disaster Waiting to Happen Near You


A man named Stephen Butler recently contacted Oregon-based news radio station WTMJ and told them a story of how he has been receiving faxes that contain private health information (PHI) from hospitals in Wisconsin and South Carolina. Butler said that he had been receiving the faxes for an entire year.

According to Butler, the faxes contained sensitive personal data, including “a list of patient's names, [...] dates of birth, patient IDs, the dates they got admitted to the hospital and whether or not they were still in the hospital.” Butler continued to receive these documents even after a year of contacting the hospitals and asking them to stop. When he received another one in late February, Butler contacted one of the patients to let her know about the breach of privacy. According to Butler, she was thankful for the call and was going to contact the hospital.

The Community Memorial Hospital in Wisconsin blamed the data breach on United Healthcare.  According to WTMJ, United Healthcare is trying to determine whether the breach is a result of a system “glitch or human error.”

4 Ways This Story Affects You:

As this story unfolds, there are many pieces that potentially affect all of us.

  1. If Stephen Butler of Oregon can receive information regarding United Healthcare patients from different areas of the country, who else can? Is the same service center verifying and faxing records for both Wisconsin and South Carolina? Is Butler the only person who has received unsolicited private information? Will United Healthcare help those customers who may have been affected? This is not the first time United Healthcare has had a breach. According to Computerworld.com, United Healthcare was at the center of a data breach at the University of California at Irvine in 2008, which affected more than 1000 grad students who were subscribers to United Healthcare.
  2. This breach calls into question, the processes used by the 5,723 hospitals in the United States and all their affiliates. United Healthcare is only one of many providers that hospitals deal with daily.United Healthcare is a subsidiary of United Health Group, which states on its website that the company serves “more than 85 million individuals worldwide with health benefits and services [and operates] in all 50 states… and 20 other countries worldwide.”
  3. According to an article written by David F. Carr last December for Informationweek.com, Experian predicts a surge in healthcare data breaches in 2014. From the report, “The sheer size of the industry makes it vulnerable […] and it becomes clear that the industry, from local physicians to large hospital networks provide an expanded attack surface for breaches." 
  4. The implementation of the Affordable Care Act (also known as Obamacare) adds another level of security risk to this puzzle. According to a recent blog post by  L. David Kennedy, CEO of TrustedSec,L.L.C, “In November of last year, I testified [to Congress] on the glaring security issues around healthcare.gov, not as a hacker but someone who studies security exposures and works for some of the largest companies in the world to better their security. Today, nothing has changed and it’s business as usual on the healthcare.gov site. Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed and since my last appearance; other security researchers have also identified an additional 20+ exposures on the site.”

This is a lot to take in and to consider in light of all the electronic data that different entities have about us. We already worry about retailers, banking, and our financial data. Now we need to add our private healthcare and personal data and recognize the extent to which so much of it is out of our control. The moral of the story is: Be diligent. Check your credit reports and healthcare statements for unusual activity.

UPDATE: (A spokesperson from UnitedHealthcare contacted HealthTechZone.com with clarification on this story, which we are now sharing with our readers)

Mr. Butler owned a fax number that was one digit different from UnitedHealthcare's. A mistyped number was the cause of the error. The faxes did not contain medical or financial information, including Social Security numbers.

"We are working with the hospitals to request the information back from Mr. Butler, and we appreciate his alerting us to the issue. We are reminding all of our provider partners sending us a fax to dial the number at issue very carefully. We will work with the hospitals involved to ensure appropriate mitigation actions are taken to protect the privacy of anyone impacted."




Edited by Blaise McNamee
Get stories like this delivered straight to your inbox. [Free eNews Subscription]




SHARE THIS ARTICLE



FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]