Data breach at the University of Washington – October 2013

In early October 2013 a University of Washington Medicine (UW Medicine) employee opened an email attachment and in doing so launched a piece of malicious software (aka *malware*). The employee’s computer was taken over by the malware and with that action approximately 90,000 patients had their data accessed by criminal elements.  UW Medicine in their statement, “UW Medicine Notice of Computer Security Breach” provided an information security assessment of the breach which noted that while the patient data was accessed, they do not *believe* that the patient information was sought or targeted. The breach statement goes on to provide assurances the UW Medicine has engaged law enforcement, including the Federal Bureau of Investigation (FBI) and was taking appropriate steps within UW Medicine to insure that a reoccurrence would not happen.

The UW Medicine statement noted the data exposed in this data breach included “Data about patients may have included: name, medical record number, other demographics (which may include address, phone number), dates of service, charge amounts for services received at UW Medicine, Social Security Number or HIC (Medicare) number, date of birth.” What this means is that every one of the individuals whose data has been compromised will have to be concerned about identity theft for the rest of their days.  The value of PII (Personal Identifying Information) and PHI (Protected Health Information) in the criminal market is not hypothetical. Each record, containing the information identified by the UW Medicine, will have a street value of approximately $11-$25 each (Between $990,000 to $2 million for the criminals who took the data if they are able sell each record on the criminal underground identity market. See Dell’s Secure Works piece, “Underground hacking economy is alive and well” for the value of credit cards, identities, and compromised computers on the criminal market).

The cost of this data breach to UW Medicine will not be insignificant. According to the Ponemon Institute‘s report “2013 Cost of Data Breach Study: Global Analysis” the UW will spend approximately $180 per record to clean up after this breach. The cost includes all of the administrative costs associated with reporting the breach, providing remediation services, and internal adjustments to processes and procedures. Doing the math, that puts the remediation dollars number at more than $16 million. UW Medicine is fortunate their pockets are deep, as they are most likely also looking at a fine coming their way from the U.S. Department of Health and Human Service (HHS), as well. The new HIPAA (Health Insurance Portability and Accountability Act of 1996), is in play which according to a January 2013 note from the HHS, “Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.”

Sadly, UW Medicine is not alone. In Ponemon’s December 2012 report, “Third Annual Study on Patient Privacy,”  a sobering statistic was revealed: 94 percent of healthcare organizations in the study have had at least one data breach in the past two years.

The takeaway for all healthcare providers, empower your Chief Security Officer (CSO) and Chief Information Security Officer (CISO) with sufficient resources to not only protect your infrastructure; but also to invest in employee education. Far too often, healthcare security and awareness programs fall into the operational expense category of “nice to have.” Incidents such as this, demonstrate the need for training. Training which isn’t just once and done, but a constant reminder that your patient’s information is precious and it is incumbent upon everyone to protect and secure the information. If you’re entity does not have a CSO or CISO, and many don’t, obtain the services of a Virtual CSO.[/vc_column_text][vc_separator style=”solid”][vc_separator style=”solid”][/vc_column][/vc_row][vc_row][vc_column width=”1/2″]

[vc_column_text][/vc_column_text][vc_separator style=”solid”][vc_column_text][/vc_column_text][vc_separator style=”solid”][/vc_column][vc_column width=”1/2″][vc_column_text]Prevendra provides virtual Chief Security Officer  (CSO) services. Providing advice, guidance and security recommendations for your health care entity – if your entity is dealing with patient information, PHI and PII and does not have a dedicated security team focused on data security, HIPAA compliant data handling and healthcare security awareness on a continuum – obtaining the services of a Virtual CSO is an affordable solution. Prevendra Virtual CSO services are available for the healthcare vertical as a retained service.

For more information, contact us via email: info@prevendra.com[/vc_column_text][vc_separator style=”solid”][/vc_column][/vc_row][vc_row][vc_column width=”1/1″][vc_column_text]

ID WARRIORS, helps protect you against more than just ID fraud, we alert you whenever we detect your personal information being used to apply for wireless services, retail credit, utilities, and mortgage loans within our extensive network. If you become a victim of identity theft while you are a member of ID WARRIORS, we will spend up to $25,000* to help your recovery.  Click to learn more about ID Warriors [/vc_column_text][/vc_column][/vc_row]