Improper Hard Drive Disposal Leads to 100k Health Record Breach

Recently, personal data was leaked from over 100,000 patients at HealthReach Community Health Centers in Maine. How did this happen? Simple: by improper disposal of the health center’s hard drives (source).

Let’s dive into this deeper.

The hard drives from the healthcare giant were disposed of by an employee at a third-party data storage location. The breach took place in early April but was not uncovered until a month later when the investigation found that PII (personally identifiable information) and PHI (protected health information) of patients were compromised. Compromised information included names, birth dates, addresses, medical insurance information, social security numbers, medical records, lab results, and treatment records. Despite the leak of sensitive data, the provider noted that no data was misused due to the breach.

As is common practice in the fallout of this type of breach, patients impacted can enroll in complimentary identity theft protection services for one year of monitoring, identify theft recovery services and a one million dollar reimbursement policy. Affected patients were encouraged to do so. 

PK Tech’s Takeaways: 

1. We’ve talked about the rising threat of ransomware often on our blog. The healthcare sector is one industry that has been and continues to be heavily targeted by cyber actors. As we learn from this breach, there are other ways an organization can be breached: employee misuse of data and improper data disposal. Both can be just as damaging as a ransomware attack. 
2. This breach also teaches us a difficult truth: even large healthcare providers make easily preventable mistakes that open the organization to unnecessary vulnerabilities. 
3. As breaches increase, organizations must secure gaps in data security. Overlooking such holes opens the organization to negligent misuse of data, cyberattacks, and liability. Beware of 1) cyber actors and 2) poor cyber hygiene (i.e., improper data use or disposal)
4. Finally, we wonder how a small healthcare provider would handle the same situation. From our experience, larger organizations recognize the risks and dedicate resources to comply with HIPAA. You’re lucky to find a small provider doing annual risk assessments, let alone following an incident reporting policy without the Office for Civil Rights getting involved. What happens if HIPAA is consistently enforced on small providers and only the large providers with the resources can survive audits? We preach to our clients — do annual risk assessments and make an effort. HIPAA has the teeth to end organizations. If you accept health insurance, you accept that your organization needs to follow over 500 pages of HIPAA law.

PK Tech has worked in the healthcare space for over ten years. We can help with risk assessments, ongoing services, and more. Reach out to us for a consultation.