Category Archives: Data Breach News

Panama Papers are Biggest Data Leak Yet

April 11, 2016

Panama Papers

If cyber hackers can unearth the financial secrets of Russian President Vladimir Putin, do you really think your company is safe from the same thing?

Panama Papers: “History’s Biggest Data Leak”

News of the “Panama Papers” is filling newspapers and websites across the globe this week, in what The Guardian is calling, “History’s biggest data leak”.

Hackers have unearthed the financial secrets of some of the world’s most powerful people, detailing the secrets of how many international politicians, business leaders and celebrities have used the Panamanian law firm Mossack Fonseca, the fourth-largest offshore law firm in the world, unseemly financial transactions.

The Panama Papers are 11.5 million documents taken from the files of Mossack Fonseca by an unnamed source and turned over to a German newspaper. Information from this leaked data continues to spill out and the repercussions already include the prime minister of Iceland resigning on April 5, the president of Transparency Chile, a branch of a global anti-corruption group, stepping down on April 4, and the CEO of large Austrian bank resigning on April 7.

Others named involved in the massive data breach were the presidents of Argentina and the Ukraine, the prime minister of Pakistan, a king from Saudi Arabia, the former emir of Qatar, and Argentine soccer star Lionel Messi. A Russian cellist who’s a close confidant of Putin has also been named in the documents.

As the fallout from this massive data leak continues to reverberate literally around the world, it’s a great reminder that every company is at risk of a data breach. If the world’s richest and most powerful people can have their most confidential information hacked, cyber hackers can seemingly get anywhere they set their minds too.

Is your company safe?

While up to nearly half of all organizations experienced a data breach in the last year, a recent report by AIIM (Association for Information and Image Management) showed that a quarter of respondents felt that their senior managers did not take the risks of data privacy breaches seriously.

This report comes on the heels of a 2015 IBM survey of more than 700 C-level executives, almost three-quarters of CEOs believed that ‘rogue individuals’ as the largest threat to organizations—the truth is 80% of cyber attacks are led by highly organized crime rings.

Too many C-level leaders have their hand in the sand and move forward with an “It won’t happen to us” mentality.

Protect your company and be proactive. Your data is everywhere these days—on hard drives and paper at the office, with volumes of information on laptops that move in and out of the office, on mobile devices and cloud storage—these are all entities that need to be managed from the C-level on down.

IBM’s study revealed that almost two-thirds of C-level executives in marketing, human resources and finance departments acknowledge they are not actively engaged in cyber security strategy and execution. Cyber security is at a point now where it simply has to go beyond the IT department. Criminals are targeting any department where personally identifiable and financial information resides.

Senior managers have to commit to information security before an organization can fully adopt a culture of security. Employees will follow the example set by their managers.

The Panama Papers put another spotlight on cyber security. Even the most rich and powerful are at risk.

 

Cyber Crime Continues to Rise

February 11, 2016

Cyber Crime Continues to Rise

If you’ve picked up a newspaper or watched the news on television over the last five years, you’re probably aware that identity theft is one of the fastest rising crimes in the United States. It was probably bound to happen, as more and more of our lives, including our financial transactions, are done digitally, criminals have followed close behind, and cyber crime is increasing dramatically. So you knew that, but did you know that identity theft now costs Americans nearly twice as much as property theft? In a recent report the U.S. Bureau of Justice statistics found that total losses attributed to identity theft in 2012 were $24.6 billion, compared to $13.9 billion for property theft crimes. One would imagine that those numbers are only going to rise over the next decade.

Cyber Crime – is there an End in Sight?

There are plenty of studies that show that the crime rate is falling in the U.S., but many of those studies can be construed as inaccurate, as there still isn’t a great way of measuring cyber crime. An article from last year in phys.org had the following two quotes:

“Crime reporting has to be updated for the cyber-era,” said researcher and dean of the UAlbany School of Criminal Justice Alan Lizotte. “Property crime that remains underreported because it’s online crime shapes our response to it, particularly the response of law enforcement—what’s hidden stays hidden, yet continues to be a real, growing threat.”

“Recent data breaches targeting major US retailers and, more disturbingly perhaps, health-care providers, are evidence that we’ve reached a new frontier in criminal behavior,” said UAlbany criminal justice school researcher Giza Lopes. “Crime control is far from keeping up—a deficit that spans from inadequate measurement to jurisdictional inability to deal with a problem that spills over physical and national boundaries.”

Clearly cyber crime is on the rise and the ways to keep track of it haven’t quite caught up yet. What this means for organizations however, is that it’s pretty obvious that the need for data security is more important than ever. Maxxum’s recent research study revealed that over 40 percent of companies sometimes use disposal methods outside of a professional technology disposal service—including equipment donations and giving equipment to employees.

There’s certainly nothing wrong with donating or gifting old technology, but we can’t stress enough how important it is to have that technology wiped clean of information beforehand. Simply deleting material isn’t nearly enough. Drives need to be sanitized and wiped clean to insure that your sensitive information isn’t leaving your building in your old technology assets.

Organizations should make sure they receive documented transfer of custody and indemnification from their technology asset disposal company (we’ve outlined a few other key things to expect from a technology asset disposal company for reference here).

At Maxxum, we’re committed to smart, strategic partnerships with our clients. We stay up-to-date on laws and regulations regarding data privacy and environmental responsibility. We develop and support industry best practices in compliance, remarketing, recycling and reporting.

Maxxum Conducts Tech Disposal Research Study

February 3, 2016

tech disposal research study

Maxxum recently conducted a tech disposal research study with a simple objective in mind: We wanted to understand your world and how we can make technology disposal easier and safer given the challenges you face in today’s digital environment.

The overriding result of this study revealed that organizations still engage in risky technology disposal behavior, even as data breaches continue to increase in frequency and severity. We were quite happy to find that Maxxum customers rate our services more positively as compared to other technology companies, especially in the key areas of recycling, security, and compliance— which are cited as the most meaningful to organizations.

In this ever-evolving digital age it’s increasingly important to dispose of technology assets using a safe and compliant program. At Maxxum, we’re committed to helping you retire your technology in a documented, secure, and sustainable way.

Tech Disposal Research Proves the Importance of Proper Asset Disposal

Our tech disposal research study gathered responses from highly regulated/risk adverse organizations including health care, insurance, medical device MFG, financial services and education.

The most alarming data uncovered from our research is that 40 percent of respondents stated that they use disposal methods outside of a professional tech disposal service, including equipment donations and giving away old computers, monitors, etc. to employees. Just because your office is done with a computer, that doesn’t mean the secure information it holds isn’t still available.

We stress to our clients and say elsewhere here on our website: You may be vulnerable to legal ramifications if you don’t dispose of your data and drive assets properly. If your sensitive data leaks, you’ll have to answer to the law and your customers.

As one might expect, the most important elements for organizations, the key drivers, are: process and documents, recycling and reuse and security at destination. We’re happy to report that Maxxum customers ranked our service particularly high in those three areas versus other companies.

To see more of the tech disposal research study survey results, contact us for a copy of our white paper.

The Rising Cost of Data Breach

October 28, 2015

cost of a data breach

IBM and the Poneman Institute released a global study in January that said the average total cost of a data breach has increased 23 percent in the last two years, up to $3.79 million.

The same study showed that the average cost paid by organizations for each lost or stolen record containing confidential information rose from $145 in 2014 to $154 in 2015. The largest increase was seen in the retail industry, where the average cost increased from $105 in 2013 to $165 in 2014.

The Cost of a Data Breach is Increasing

As today’s world becomes more and more digital, with so much sensitive data stored on drives of all sorts, optical media, cell phones, and various other forms of office equipment, there’s every reason to believe that the cost of a data breach is only going to rise over the next several years.

It’s important to know that just because a piece of technology no longer works, doesn’t mean that the information on it is no longer accessible. In fact, without destruction, most of it is pretty easily retrieved by someone who knows what they’re doing.

In 2003 researchers at MIT were able to recover 92.4 percent of sensitive information from 158 used hard drives. That sensitive information included not only corporate information, but names and contact information, emails, credit card numbers, social security numbers and medical records.

Security measures have improved dramatically since MIT’s study, and organizations have embraced the value of hiring Technology Asset Disposal Companies. While security has improved, so have hackers and data thieves. If you think that black markets where stolen information is sold only exist on TV shows and in the movies, you’ve got your head in the sand.

The following numbers should scare you a little bit: 80 percent of corporate desktops and laptops contain sensitive data. When it comes to IT personnel, only 34 percent have a secure process for hard drive destruction.

There’s far too much on the line, both monetarily and legally, for organizations not to hire experts to dispose of their technology assets when the time comes to refresh or upgrade. Avoid the rising costs of any kind of information breach by hiring an expert and trustworthy data destruction organization.

15 Million T-Mobile Customers’ Data Exposed | T-Mobile Data Breach in 2015

October 23, 2015

t-mobile data breach

On October 1, it was announced that approximately 15 million T-Mobile customers were impacted by a T-Mobile data breach at credit agency Experian PLC, the latest major leak of confidential data to hit corporate America.

The exposed data included names, addresses, birth dates and encrypted Social Security numbers, driver’s license or passport numbers for customers who might have applied for T-Mobile cell service between Sept. 1, 2013 and Sept. 16, 2015.

T-Mobile said the T-Mobile data breach was discovered on September 15 and included information on millions of their subscribers, former customers and people who applied for service or device financing at the wireless carrier over the last two years.

“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian,” T-Mobile CEO John Legere said. “I take our customer and prospective customer privacy VERY seriously.”

Experian is one of the three major American credit bureaus, along with Equifax and TransUnion, that affect, if not touch every American with a credit card or cell phone.

There is no evidence yet that any breached information has been inappropriately used and Experian is notifying the individuals who may have been affected. They are also offering free credit monitoring and identity resolution services for two years to affected customers.

Hackers typically put this type of information up for sale on black markets, where large data bases of information are aggregated and sold to identity thieves. A stolen identity can lead to stolen tax refunds, ruined credit and worse.

T-Mobile is in the process of reaching out to people who may be impacted by the T-Mobile data breach.

Here are four steps to take if you are ever afraid your personal data has been breached. All four steps can be done by calling each of the three credit bureaus (Experian: 1-888-397-3742, Equifax: 1-800-525-6285, and TransUnion: 1-800-680-7289).

  1. Monitor your credit reports. You are entitled to one free credit report every 12 months from each of the three credit bureaus.
  2. Consider placing a “fraud alert” with each of the three credit bureaus. An alert doesn’t block potential new credit, but places a comment on your history. Creditors should contact you prior to opening a new account.
  3. Consider placing a “security freeze” with each of the three credit bureaus to prohibit the release of any information from your reports. A security freeze can help prevent identity theft since most businesses won’t open credit accounts without checking a consumer’s credit history first.
  4. Beware of unsolicited calls or emails offering credit monitoring or identity theft services. Never provide your Social Security number, credit card numbers, or other personal information in response to unsolicited emails or calls.

Data Protection | Dont’ Let Your Data Fall Into the Wrong Hands

October 1, 2015

data protection

Class-action lawsuits, crippling financial penalties, tarnished reputations and even jail time are some of the repercussions that can stem from information falling into the wrong hands and the lack of data protection.

If you think your organization is immune to a data breach, you’re wrong.

Early next year the movie, Snowden, will be released, detailing the story of Edward Snowden, an American computer professional who leaked classified information from the National Security Agency (NSA) to the British daily newspaper, The Guardian, in 2013.

If the NSA can be compromised, that probably means every organization has some type of vulnerability. There are, however, precautions that can be taken.

One particular point of vulnerability for every organization is when they refresh their technology assets. Just because new technology has entered the building, that doesn’t mean that you’re no longer responsible for the data on the technology that is being disposed of.

The best way to ensure that your data doesn’t fall into the wrong hands is to hire a trustworthy, dependable Technology Asset Disposal firm like Maxxum.

Data Protection Made Easy

Demand certified drive sanitization and destruction. Maxxum creates a smart, strategic partnership with each client. We will help your organization build a comprehensive and cost-effective risk-management program. This program eliminates potential data and environmental breaches and offers a secure, documented chain of custody that mitigates liability.

Maxxum utilizes best practices for sanitization of digitally stored information, meeting the NIST (National Institute of Standards and Technology) standard, also adopted by the Department of Defense.

Our comprehensive documentation and certification includes:

  • Asset receipt reporting provided by Maxxum’s technology center
  • Certification of data destruction by serial number of the host machine and drives
  • Drive sanitization date and method used

If you need physical destruction of your drives to ensure data protection, Maxxum can help. We offer certified and documented physical destruction that shields you and your company.

Technology breaches are happening to organizations big and small. If you’re not being diligent about where your data ends up, it can fall into the wrong hands. Ensure data protection and turn your used technology over to Maxxum; it will be disposed of properly.

Unencrypted Device Breaches Persist

June 24, 2015

Health Data Breach Tally Shows String of Theft Incidents

By , June 23, 2015.

Unencrypted Device Breaches Persist

Although hacker attacks have dominated headlines in recent months, a snapshot of the federal tally of major health data breaches shows that stolen unencrypted devices continue to be a common breach cause, although these incidents usually affect far fewer patients.

As of June 23, the Department of Health and Human Services’ Office for Civil Rights’ “wall of shame” website of health data breaches affecting 500 or more individuals showed 1,251 incidents affecting nearly 134.9 million individuals.

Those totals have grown from 1,213 breaches affecting 133.2 million individuals in an April 29 snapshot prepared by Information Security Media Group (see Breach Tally Shows More Hacker Attacks).

The federal tally lists all major breaches involving protected health information since September 2009, when the HIPAA Breach Notification rule went into effect. As of June 23, about 52 percent of breaches on the tally listed “theft” as the cause.

Among the breaches added to the tally in recent weeks are about a dozen involving stolen unencrypted computers. Lately, those type of incidents have been overshadowed by massive hacking attacks, such as those that hit Anthem Inc. and Premera Blue Cross.

“Although we’ve seen some large hacking attacks, they are aimed at higher-profile organizations than the more typical provider organization,” says privacy and security expert Kate Borten, founder of the consulting firm, The Marblehead Group. “Attackers know that these organizations have a very high volume of valuable data. But I continue to believe that unencrypted PHI on devices and media that are lost or stolen is ‘the’ most common breach scenario affecting organizations of any size.”

Borten predicts that many incidents involving unencrypted devices will continue to be added to the wall of shame. “Getting those devices encrypted is an ongoing challenge when we expand the requirement to tablets and smartphones, particularly when owned by the users, not the organization,” she says. “We also shouldn’t overlook encryption of media, including tapes, disks and USB storage drives.”

Unencrypted Device Breaches

The largest breach involving unencrypted devices that was recently added to the tally was an incident reported to HHS on June 1 by Oregon Health Co-Op., an insurer.

That incident, which impacted 14,000 individuals, involved a laptop stolen on April 3. In a statement, the insurer says the device contained member and dependent names, addresses, health plan and identification numbers, dates of birth and Social Security numbers. “There is no indication this personal information has been accessed or inappropriately used by unauthorized individuals,” the statement says.

Also recently added to the federal tally was a breach affecting 12,000 individuals reported on June 10 by Nevada healthcare provider Implants, Dentures & Dental, which is listed on the federal tally as “doing business as Half Dental.” The incident is listed as a theft involving electronic medical records, a laptop, a network server and other portable electronic devices.

In addition to the recent incidents involving stolen or lost unencrypted devices, several breaches added to the wall of shame involve loss or stolen paper records or film.

“Breaches of non-electronic film and paper will never end, but at least these breaches are typically limited to one or a small number of affected individuals,” Borten says. Because many of the breaches involving paper or film are often due to human error, “effective, repeated training is essential” to help prevention of such incidents, she says.

Read full article…

Ponemon: Data breach costs now average $154 per record

June 10, 2015

The per-record cost of a data breach reached $154 this year

broke

by Maria Korolov | May 27, 2015

According to a report released this morning by IBM and the Ponemon Institute, the per-record cost of a data breach reached $154 this year, up 12 percent from last year’s $145.

In addition, the average total cost of a single data breach rose 23 percent to $3.79 million.

Loss of business was a significant, and growing, part of the total cost of a data breach. Higher customer turnover, increased customer acquisition costs, and a hit to reputations and goodwill added up to $1.57 million per company, up from $1.33 million the previous years, said Ponemon Institute chairman and founder Larry Ponemon.

Ponemon analyzed results from 350 companies in 11 countries, each of which had suffered a breach over the past year.

Data breach costs varied dramatically by industry and by geography.

The US had the highest per-record cost, at $217, followed by Germany at $211. India was lowest at $56 per record.

Sorted by industry, the highest costs were in the health care industry, at an average of $363 per record.

The reason, said Caleb Barlow, vice president at IBM Security, is because the information in a medical record has a much longer shelf life than that of, say, a credit card number.

“With credit cards, the time frame from the breach to mitigation is very short,” he said.

The credit card company just has to cancel the old credit card number and issue a new one.

“But the health care record can be used to establish access in perpetuity,” he said, pointing out that health care records include a wealth of personal information as well as social security numbers and insurance numbers.

“it can be used to establish credit or steal your identity ten or fifteen years from now,” he said. “Once this information is out there, you can’t get the genie back in the bottle.”

And that doesn’t even include the costs of health care fraud, he added.

Factors that can impact breach costs

The Ponemon report looked at a number of other factors that could potentially influence the cost of a breach, and, unlike industry or geography, many of these factors were under management control.

For example, having an incident response team available ahead of time reduced the per-record cost by $12.60. Using encryption extensively reduced costs by $12. Employee training reduced costs by $8.

If business continuity management personnel were part of the incident response team, costs fell by $7.10. CISO leadership lowered costs by $5.60, board involvement lowered costs by $5.50 and cyberinsurance lowered costs by $4.40.

“Companies that have thought about this ahead of time, that had their board involved, that had insurance protection, that had practiced what they would do, they had a much lower cost per breach,” said Barlow. “This is really compelling. We have tangible evidence that those who were doing that had much lower costs. You don’t have days to respond — you don’t even have hours. You have minutes to get your act together.”

Factors that increased costs was the need to bring in outside consultants, which added $4.50 per record. If there were lost or stolen devices, costs increased by an average of $9 per record.

And the single biggest factor was if a third party was involved in the cause of a breach. That increased the average per-record cost by $16, from $154 to $170.

Costs rise with time

Ponemon found a positive relationship between the time it took to identify a breach and the total cost of the breach, as well as between the time it took to mitigate the breach and the cost.

On average, it took respondents 256 days to spot a breach caused by a malicious attacker, and 82 days to to contain it.

Breaches caused by system glitches took 173 days to spot and 60 days to contain. Those caused by human error took an average of 158 days to notice, and 57 days to contain.

This story, “Data breach costs now average $154 per record” was originally published by CSO.

Go to original article…

Unencrypted Devices Still a Breach Headache

May 13, 2015

The Ongoing Risk Posed by Lost, Stolen Mobile Devices

By , May 12, 2015.

Unencrypted Devices Still a Breach Headache

While hacker attacks are grabbing most of the health data breach headlines so far in 2015, a far more ordinary culprit – the loss or theft of unencrypted computing devices – is still putting patient data at risk.

See Also: PHI Security: The Role of Encryption and Tokenization

Incidents involving unencrypted laptops, storage media and other computing devices are still popping up on the Department of Health and Human Services’ “wall of shame,” which lists health data breaches affecting 500 or more individuals. Among the largest of the most recent incidents is a breach at the Indiana State Medical Association.

That breach involved the theft of a laptop computer and two hard drives from a car parked for 2-1/2 hours in an Indianapolis lot, according to local news website, The Star Press. Information on more than 38,000 individuals, including ISMA employees, as well as physicians, their families and staff, was contained in the ISMA group health and life insurance databases on those devices.

The incident occurred on Feb. 3 while ISMA’s IT administrator was transporting the hard drives to an offsite storage location as part of ISMA’s disaster recovery plan, according to The Star Press. An ISMA spokeswoman declined Information Security Media Group’s request to comment on the breach, citing that there are “ongoing civil and criminal investigations under way.”

A breach notification letter sent by ISMA indicates that compromised data included name, address, date of birth, health plan number, and in some cases, Social Security number, medical information and email address. ISMA is offering those affected one year’s worth of free credit monitoring.

Common Culprit

As of Feb. 27, 51 percent of major health data breaches occurring since 2009 involved a theft while 9 percent involved a loss, according to data presented by an Office for Civil Rights official during a session at the recent HIMSS 2015 Conference in Chicago. Of all major breaches, laptop devices were involved in 21 percent of the incidents, portable electronic devices in 11 percent and desktop computers in 12 percent, according to the OCR data.

Two of the five largest breaches to date on the Wall of Shame involved stolen unencrypted computing devices:

  • A 2011 breach involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of military health program TRICARE.
  • The 2013 theft of four unencrypted desktop computers from an office of Advocate Health and Hospital Corp. in Chicago, which exposed information on about 4 million patients.

Many smaller breaches affecting less than 500 individuals also involve unencrypted computing devices, according to OCR.

Safe Harbor

The thefts and losses of encrypted computing devices are not reportable breaches under HIPAA. That’s why security experts express frustration that the loss and theft of unencypted devices remains a common breach cause.

“It is unfortunate that [encryption] is considered an ‘addressable’ requirement under HIPAA, as many people don’t realize that this does not mean optional,” says Dan Berger, CEO of security risk assessment firm Redspin, which was recently acquired by Auxilio Inc.

Under HIPAA, after a risk assessment, if an entity has determined that encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI, it must implement the technology. However, if the entity decides that encryption is not reasonable and appropriate, the organization must document that determination and implement an equivalent alternative measure, according to HHS.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he’s expecting to see soon an OCR resolution agreement with a healthcare provider that suffered several breach incidents caused by their failure to manage the mobile devices used by their employees on which electronic protected health information was stored or accessed.

Read full article…

Pharmacy Fined $125,000 for Breach

April 28, 2015

By , April 27, 2015.

Paper Patient Records Not Properly Destroyed

A small Denver compounding pharmacy has been slammed with a $125,000 federal penalty for a 2012 breach involving improper disposal of paper patient records. It’s the second such HIPAA enforcement action within a year by federal regulators tied to an incident involving records dumping by a covered entity.

In an April 27 statement, the Department of Health and Human Services’ Office for Civil Rights says Cornell Prescription Pharmacy has agreed to a HIPAA settlement that includes the $125,000 penalty and calls for adopting a corrective action plan to correct deficiencies in its compliance program.

Cornell is a single-location pharmacy that specializes in compounded medications and related services for hospice care agencies in the region.

Proper PHI Disposal

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” says OCR Director Jocelyn Samuels. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

OCR launched a compliance review and investigation in February 2012 after the agency received notification from a Denver news outlet regarding the disposal of unshredded documents containing the protected health information of 1,610 patients in an unlocked, open container on Cornell’s premises.

OCR’s investigation determined Cornell failed to implement any written policies and procedures as required by the HIPAA Privacy Rule. The pharmacy also failed to provide training on policies and procedures to its workforce as required by HIPAA, OCR says.

Similar Cases

OCR last June approved an $800,000 HIPAA settlement with Parkview Health System, an Indiana-based community health system, tied to an incident involving paper records dumping. In that case, the organization was cited for leaving 71 cardboard boxes of medical records on thousands of patients unattended and accessible to unauthorized persons on the driveway of a retiring physician’s home (see $800,000 Penalty for Paper Records Breach).

An in addition to the Parkview case, OCR has issued hefty settlements for several other breaches involving improper disposal of PHI.

“The latest OCR settlement is almost identical to 2009 and 2010 settlements against CVS and Rite Aid over the pharmacies allegedly dumping protected health information in publicly-accessible waste containers,” says privacy attorney Adam Greene of law firm Davis Wright Tremaine.

“In both of those cases, as in the current case with Cornell Prescription Pharmacy, the OCR investigation was triggered by a local television news report identifying the issue at local pharmacies,” Greene notes. “In response to the CVS and Rite Aid cases, OCR issued specific guidance on properly disposing of protected health information. Apparently, when OCR learned of a news report indicating that a pharmacy was not heeding this guidance, OCR determined that an additional settlement was needed.”

Covered entities and business associates should closely track OCR settlement agreements “and ensure that any similar issues are addressed within your own organization,” Greene stresses.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he’s surprised there haven’t been even more such enforcement actions by OCR for these kinds of improper disposal cases.

There have been approximately 30 large breaches since April 2011 that have involved covered entities or business associates that failed to make paper or printed PHI unreadable or indecipherable, “such as by shredding into itty-bitty pieces,” says Holtzman, who was a senior adviser at OCR prior to joining CynergisTek in 2013. “This [latest] case represents a drop in the bucket.”

Corrective Action Plan

As part of its resolution agreement with OCR, Cornell has agreed to implement a corrective action plan that includes developing, maintaining and revising, as necessary, written policies and procedures to comply with the HIPAA Privacy Rule and submitting documentation of those policies and procedures to OCR for its review and approval.

The policies and procedures must include administrative and physical safeguards for the disposal of all non-electronic PHI, including those records being “shredded, burned, pulped or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”

The pharmacy also agreed to distribute those policies and procedures to all members of its workforce within 30 days of OCR approving them and to also issue those policies and procedures to new members of the workforce within 30 days of their beginning of service.

In addition, the pharmacy agreed to provide its workforce HIPAA privacy training and to report violations of its privacy policies and procedures by its workforce to OCR.

More Settlements Soon?

Some privacy and security experts believe the resolution agreement with Cornell could be the first of several additional enforcement actions in the works at OCR for 2015, including cases involving other examples of HIPAA non-compliance.

“This is likely the beginning of a more active phase of OCR enforcement that we have been anticipating,” Holtzman says. “I believe that OCR has been investigating a number significant investigations and compliance reviews, many resulting from breaches reported to HHS.”

Holtzman adds: “I do not believe that OCR limits itself to reserving its enforcement resources to a predetermined checklist or agenda prioritizing one type of incident over another.”

In a recent interview with Information Security Media Group, Greene also predicted that OCR will likely announce a number of eye-popping financial settlements for HIPAA violations later this year (see Could Big HIPAA Settlement be Coming?).

View original article…