[osint] New York Breach Affects 1.7 Million

[blitz <blitz () strikenet kicks-ass net>]

New York Breach Affects 1.7 Million



Largest Incident Reported So Far Under HITECH Rule

February 14, 2011 - Howard Anderson, Executive Editor,
HealthcareInfoSecurity.com

http://www.healthcareinfosecurity.com/articles.php?art_id=3349
<http://www.healthcareinfosecurity.com/articles.php?art_id=3349&opg=1
<http://www.healthcareinfosecurity.com/articles.php?art_id=3349&opg=1>>
&opg=1

Some 1.7 million individuals are being notified of a health information
breach incident involving data from
<http://www.nyc.gov/html/hhc/html/pressroom/pr-20110211-data-theft.shtml>
The New York City Health and Hospitals Corp. It's the largest breach
reported so far under the HITECH Act breach notification rule, which went
into effect in September 2009.

Computer backup tapes from the New York provider were stolen on Dec. 23,
2010, from a truck that was transporting them to a secure storage location,
according to a website statement from the NYC organization and its letter to
those affected. The unencrypted tapes included information on patients and
hospital staff from the North Bronx Healthcare Network, a unit of the NYC
Health and Hospitals Corp. That network includes Jacobi Medical Center,
North Central Bronx Hospital, Tremont Health Center and Gunhill Health
Center. Also on the tapes was information the hospitals' occupational health
services collected about employees of vendors and contractors.

The information lost, which was collected during the past 20 years,
includes: names, addresses, Social Security numbers, patient medical
histories and the occupational/employee health information of staff,
vendors, contractors and others, according to the statement.

All those affected are being offered one year of free credit protection
services.

Breach Incident Details

The tapes were stolen from a truck operated by GRM Information Management
Services while the files were being transported to a secure storage
location, according to the provider organization. "The incident was reported
by GRM to both North Bronx officials and the police the same day, and an
investigation was launched immediately," the letter to those affected
stated. "To date, these tapes have not been recovered."

In its website statement, the organization noted, "The theft occurred while
the GRM van was left unattended and unlocked while the driver made other
pickups. GRM reported the incident to the police and dismissed the driver of
the vehicle."

The statement also noted: "The data in the stolen files is not readily
accessible without highly specialized technical expertise and data mining
tools, and there is no evidence to indicate that the information has been
accessed and misused."

NYC Health and Hospitals said the loss of the data "occurred through the
negligence of a contracted firm that specialized in the secure transport and
storage of sensitive data, but HHC is taking responsibility for providing
information and credit monitoring services to any affected individual who
may be worried about the possibility of identity theft."

Breach Prevention Steps

The provider organization said it has "taken immediate measures to prevent a
similar situation from reoccurring; has terminated the contract with the
vendor responsible for the loss; and has filed a lawsuit against the vendor
to hold it responsible for covering all of the costs associated with
notifying all affected individuals and to pay for other damages related to
the loss of the data."

A spokesman for NYC Health and Hospitals told HealthcareInfoSecurity that
while the organization has encrypted most of its backup files, the tapes
that were stolen, unfortunately, had not yet been encrypted.

"HHC has been undergoing a multi-year data center consolidation project,
which requires the careful transition and transfer of all data backup
systems to the new center for storage," the spokesman said. "As part of this
process, HHC had to standardize data systems across the hospitals and
encrypt all clinical systems backups. HHC has already encrypted more than 80
percent of the data. The Jacobi and NCB hospital system files were scheduled
for the necessary migration and encryption in March 2011."

Despite the lack of encryption, the stolen files will be difficult to
decipher, the spokesman contended. "Although the data were not encrypted, it
exists in a proprietary program that scrambles the records and would make it
difficult for individuals without specialized technical expertise and access
to the right software and computer hardware to view the private
information."

As a result of the breach incident, the organization has suspended the
transport of unencrypted backup files to off-site storage "and will expedite
its plan to upgrade critical data to the 256-bit advanced encryption
standard, considered by the federal government as the highest level of
protection against tampering," the spokesman said. "At the time of the
theft, HHC had already upgraded and encrypted nearly 80 percent of the 1,568
systems applications used throughout the corporation. The upgrade is
expected to be completed by the fall of 2011."

The spokesman also said the organization will hire a new vendor to handle
offsite backup data, which will be "stored in highly protected facilities
that have climate-controlled, dedicated tape vaults, secure keycard access,
video surveillance and trained personnel."

Thefts Lead to Breaches

All of the three largest
<http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/
breachtool.html> health information breaches reported so far under the
HITECH Act breach notification rule have involved thefts.

The other two largest breaches reported to the Department of Health and
Human Services' Office for Civil Rights are:

* An incident at AvMed Health Plan, which alerted more than 1.2
million about a breach related to the theft of a laptop.
* An incident at BlueCross BlueShield of Tennessee, which informed
nearly 1 million individuals about a breach stemming from the theft of 57
hard drives from a closed call center.



__,_._,___

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/