Image Source: https://www.rushu.rush.edu/rush-experience/our-location
A few weeks back we wrote about Easton Hospital and the lawsuit surrounding their 2014 loss of 4.5 million patients’ personal data.
Monday it was reported that a breach of similar data has occurred at Rush University Medical Center. At an estimated 45,000 records the breach is 100 times smaller than that which occurred at Easton Hospital and that is not the only dramatic difference between the two.
Chinese Hacking vs. Improper Disclosure
In the case of the Easton Hospital breach forensics traced the breach to the malicious efforts of a Chinese hacking group. In the case of Rush, no “hacking” took place. Instead, according to an article on the Chicago Tribune website, “At Rush, an employee of one of the hospital system’s billing processing vendors improperly disclosed a file to “an unauthorized party,” likely in May 2018, according to a letter sent to affected patients.”
Wall of Shame
The U.S. Department of Health and Human Services Office for Civil Rights breach portal euphemistically referred to as the “wall of shame” points out several interesting things about the state of data security in the healthcare industry.
- Breaches on the Rise – As compared to the same period during 2018, 2019 is so far on a pace that is more than DOUBLE! (24 vs. 59)
- Averaging About 1 Medical Related Breach a Day – In the 65 days of 2019 we’ve flipped past on the calendar so far this year there have already been 59 data breaches reported on the wall of shame.
- Big Breach Small Breach – The number of records disclosed range from as few as 576 (Managed Health Services) to as many as 400,000 (Columbia Surgical Specialist of Spokane)
- Mainly Attributed to Hacking – 36 of the 59 breaches are attributed to Hacking/IT Incidents with Unauthorized Disclosure (14) and Theft (9) accounting for the majority of the remaining breaches.
Even the Best Security Can be Compromised
At Konsultek we develop world class security solutions that prevent, detect and respond to attempts to breach networks. However, as the Rush breach and the 13 other cases of Unauthorized Disclosure highlight, even world class security solutions can be compromised by inadvertent/malicious activities of employees and sub-contractors. Ultimately, Network Access Control has to be more than a digital solution. Training, procedures and other management controls must work in concert with IT’s security efforts in order to prevent human powered security incidents.