Within a few weeks' time, massive health care breaches have been made public at Emory Healthcare in Atlanta, the South Carolina Department of Health and Human Services (SCDHHS) and the Utah Department of Health, showing a need for health care organizations to boost their security budgets, according to Judy Hanover, research director at IDC Health Insights.
"There's been a chronic underinvestment in breach protection and in securing our network and our data," Hanover told eWEEK.
New requirements under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act mean health care companies need to go public with breaches and report them to the news media in addition to the U.S. Department of Health and Human Services (HHS), said Hanover.
"Increased reporting requirements are definitely making them more visible," she said. "You don't have to pop through HHS briefings to find out about these breaches any longer." Breaches affecting more than 500 people must be reported to local media outlets, according to the federal notification rule.
Of the three recent breaches, the Utah breach was the most serious due to the surreptitious nature of the breach and the potential for fraudulent use of financial data as well as medical data, said Hanover.
On March 30, a weak password enabled an Eastern Europe cyber-attacker to hack into a server at the Utah Department of Technology Services. Of the compromised records, about 280,000 included Social Security numbers and about 500,000 included a name, date of birth and address.
The Utah case is also serious because it involved children's information, Hanover noted. Data about the beneficiaries of the Children's Health Insurance Program was stolen, and their cases remain in a high-fraud risk monitoring database until age 17, according to Hanover.
"Child identity theft is just a different animal because children aren't using their credit all the time and aren't accessing it," said Hanover. "And that kind of identify theft tends to go unnoticed, and so those children need to be placed in a high-risk fraud file and monitored longer."
Unlike the Utah case, the South Carolina breach is "fairly well-contained," said Hanover, noting that officials managed to seize some machines from which the data had been transferred.