Hospital records and data breaches, a continuing problem

September 5, 2016 |

Health records are a particularly popular target of hackers who use ransomware to extract quick payment. Hospital records are self evidently critical in patient care.  Hospitals are notorious for their poor data security practices.  That is a function of a culture resistant to implementing modern data security practices, a large number of staff accessing records and emails and generally poor security protocols and even worse training of staff on basic privacy training.  The combintation of those factors make it relatively straightforward for hackers to plant ransomware on a targeted hospital’s server.  A recent case involves Derriford Hospital which is reported in Computer hackers demanded ransom payment from Derriford Hospital. That coincides with a notice of a data breach by Burrell Behavioural Health on 2 September where a hacker accessed the email account of an employee on 6-7 July 2016.  On the day before the US Department of Veterans Affairs notified patients of a breach at the Clement J Zablocki VA Medical Centre on 22 August 2016.

That coincides with the report in Hong Kong of the theft of personal information of 3,675 patients, including their identity card details, personal and details of medication taken. Of those records only 901 were encrypted.  The loss occurred through the theft of a lap top which held patient data. That is a serious lapse, one which occurs all to often in the health industry.  The breach is reported in the South China Morning Post as University of Hong Kong’s medicine department ‘sorry’ for patient data breach. 

The article provides:

Laptop containing personal information of more than 3,600 patients believed to have been stolen; police are investigating.

Hong Kong’s top medical school has expressed its “deepest apologies” after a laptop computer containing the personal data of more than 3,600 patients was suspected to have been stolen, causing a massive data breach.

A police investigation was under way after the laptop belonging to the University of Hong Kong’s Li Ka Shing Faculty of Medicine went missing from its office at Queen Mary Hospital in Pok Fu Lam on Thursday.

An initial assessment revealed that the personal information of 3,675 patients including their names, Hong Kong identity card and telephone numbers, diagnoses and medication list could have ended up in the wrong hands, although data for 901 of those patients was encrypted. According to a statement by the department, a person can log into the system only by using a registered username and password.

The department stressed that it would fully support the police investigation, and that measures had been taken to strengthen security. Staff members have also been asked to reset their user passwords, and ensure personal data in electronic storage was well-protected. It did not specify if anyone would face disciplinary action.

The Office of the Privacy Commissioner for Personal Data was also notified of the incident.

This is not the first time that patients’ data has been leaked because of the mishandling of digital equipment.

In February 2014, a pharmacy worker at Queen Elizabeth Hospital lost a non-encrypted USB flash drive containing drug prescriptions, dispensary-related documents as well as identifiable personal data of 92 patients.

The employee only reported the incident three days later, but the hospital considered the public exposure of the sensitive information to be low as the flash drive was believed to have been lost in a restricted area.

This follows a similar incident in August 2013 when the Hong Kong Sanatorium and Hospital, a private institution which caters to the city’s wealthy and the elite, reported that a staff member’s USB flash drive had gone missing, compromising the personal data of 68 patients.

There is no room for complacency in Australia.  The absence of mandatory data breach notification laws gives a false sense of security.

One Response to “Hospital records and data breaches, a continuing problem”

  1. Hospital records and data breaches, a continuing problem | Australian Law Blogs

    […] Hospital records and data breaches, a continuing problem […]

Leave a Reply





Verified by MonsterInsights