BreachExchange mailing list archives
CHS is the latest reminder that security breaches are a matter of 'when, ' not 'if'
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 19 Aug 2014 19:39:40 -0600
http://www.bizjournals.com/nashville/blog/health-care/2014/08/chs-is-the-latest-reminder-that-security-breaches.html Personal information — social security numbers, birthdays and more— of more than 4 million patients of doctors affiliated with Franklin-based Community Health Systems looks to have found its way into the hands of a China-based group of hackers. But while the attack was severe, health IT experts say it isn't particularly surprising. "Particularly with a health system, with access to all this personal data, all this health information, what we’re seeing with talking to the IT departments … in health care and health care services, people are trying to access their networks and their systems hundreds and a lot of times thousands of times every day," said Blake Wiedman, a commercial insurance advisor focused on IT security in health care with Nashville-based private insurance agency Crichton Group. "This is no longer an ‘if’ it’s going to happen, it’s a ‘when,'" Wiedman said. Still, Jeff Miller, an attorney with Harwell Howard Hyne Gabbert & Manner, said this is the first breach of this magnitude and style he's aware of concerning a health system. Most HIPAA breaches he sees stem from the loss of portable electronic devices carrying patient information, or an unencrypted hard drive or laptop. Regardless of the source, the rising frequency of attempted attacks and a higher threshold for fines following breaches has led the insurance industry to up its offerings in recent years when it comes to insuring companies against data losses and related costs, said Wiedman and Parker Rains, vice president of Fisher Brown Bottrell Insurance. "It’s not a coverage that you’ve talked about since the beginning of your insurance," Rains said. "In recent years this cyber policy availability has really kind of come into the mainstream." And while most small-business owners aren't as protected as they need to be, Rains said, a big company like CHS generally is. In its filing on the breach, in fact, the company said it does not expect "a material adverse effect on its business or financial results," despite the fact that "this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities." "The company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature," the filing says. Miller said CHS' biggest costs will most likely stem from Centers for Medicare and Medicaid Services fines. Studies have shown that when data breaches occur, if a company offers credit monitoring or other protection — as CHS plans to do with identify theft protection — you're less likely to get sued, Miller said. Even if a class action suit is filed, he added, it's tough for the plaintiffs to prove they've been harmed. And although there's likely to be a "pretty steep fine" for the Franklin system when all is said and done, Miller said, the highest fees are usually relegated to violators who don't cooperate with regulators, which is unlikely to be the case here.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- CHS is the latest reminder that security breaches are a matter of 'when, ' not 'if' Audrey McNeil (Aug 22)