Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/24/2012
09:15 AM
50%
50%

2 Medicaid Data Breaches, 1 Weak Link: Employees

Second data breach at a state Medicaid agency in less than a month shows need to limit employee access to confidential data, regardless of other security procedures.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
For the second time in less than a month, there has been a major data security breach at a state Medicaid agency. The South Carolina Department of Health and Human Services (SCDHHS) discovered on April 10 that an employee of the state's Medicaid program had transferred personal information of 228,435 Medicaid beneficiaries to his personal email account.

After the department detected the transfers, it contacted the state law enforcement agency. The employee was terminated, and the affected individuals were notified of the security breach. Christopher Lykes Jr. of Swansea, Ga., has been arrested and charged with the offense, according to South Carolinian website The State.com.

Just a few weeks ago, hackers broke into a server at the Utah Department of Technology Services and stole Medicaid records of 780,000 people. Of those, about 280,000 had their Social Security numbers compromised. Less-sensitive personal information on an additional 500,000 individuals, including names, addresses, dates of birth, and diagnostic codes, also was stolen.

In the South Carolina case, the compromised records had patient names, phone numbers, addresses, birth dates, and Medicaid ID numbers, but no private medical records or financial information. In 22,604 cases, the records included Medicare numbers that contained Social Security numbers.

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

To address the possibility of identity theft, SCDHHS is offering a free year of identity protection services to every affected individual. The service, provided by Experian, includes a free credit report, daily credit monitoring, and a $1 million identify theft insurance policy. In addition, the department has created a website and a toll-free number to answer the questions of affected beneficiaries.

Meanwhile, the SCDHHS announcement said, the department is impounding all files and computers where the compromised information might have been stored; has frozen access for much of its staff to software that allows the aggregation of personally identifiable information; and has hired an external IT security firm to conduct a risk assessment of its data and IT systems security.

The risk of this type of transfer of confidential information by employees is increasing because many organizations are using Web browsers as the primary platform for viewing information, Bill Morrow, a security expert and CEO of Quarri Technologies, told InformationWeek Healthcare.

"Standard Web browsers contain critical security gaps that create significant risks to organizations' confidential data, and online resources like webmail and social networking sites can be open windows for data leakage," he said. "A careless or malicious employee can easily steal company trade secrets, intellectual property, or leak sensitive customer information."

Employees can access such information regardless of whether their organization uses an on-premises server or a remote server. But organizations, including healthcare providers, are increasingly using browsers to link together multiple sites and provide mobile access to systems, Morrow noted.

Moreover, many healthcare organizations are moving toward the use of cloud-based applications that are accessed over the Internet. In a recent Harris Interactive survey, nearly 60% of CIOs in healthcare systems that had an EHR and a health information exchange said they planned to invest in "cloud-based open systems." Storage and retrieval of medical imaging data in the cloud also is becoming widespread.

The best way to prevent employees from using browsers to replicate confidential information, Morrow said, is to deploy what he calls "hardened browsers," which are available from several vendors. Such a viewing platform allows organizations to limit the aggregation of data and to specify which data can be saved, printed or transferred, and how, he noted.

The key to using a hardened browser, he added, is to strike an appropriate balance between employees' need to use data and a security policy that prevents unauthorized movement of confidential information.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/25/2012 | 1:16:02 AM
re: 2 Medicaid Data Breaches, 1 Weak Link: Employees
Thankfully, these organizations are catching these breaches.

However, wouldn't it be better in the first place if these breaches never took place? What act/failure to act allowed these breaches to take place? I get the strong feeling that both organizations are going to be in the market for IT security resources in the very near future.

What is the final impact of these two breaches? How much money is this going to cost the taxpayers of Utah and South Carolina (and possibly the US, if any Federal funds are used to clean up this mess)?

At least South Carolina seems to be stepping up and working to protect those who were subject to the breach.

The more that these organizations move to make their EHRs (data) available everywhere, the more surface area that attackers have to work with. I'm sure there's a business opportunity there for someone who's willing to step up and take on the task of making these things more secure.

Andrew Hornback
InformationWeek Contributor
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...