• Data Breaches and Their Life Span

  • The Identity Theft Resource Center (ITCR) has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us to educate consumers and businesses on the need for understanding the value of protecting personal identifying information. 

    ITCR reports that within a ten-year period from 2005 to December 2015, there has been 5,810 data breaches reported.  

    For 2015, ITCR reported an increase for reported breaches over 2014.  The Business sector again topped the ITRC 2015 Breach List with nearly 40 percent of the breaches publicly reported in 2015, an increase of 8.1 percent from 2014 figures. In second place was the Health/Medical sector with 35.5 Health/Medical sector was at 35.5 percent of the total overall breaches.

    The number of breaches involving Social Security numbers totaled 338 in 2015, a modest increase of 1.8 percent over the 325 reported in 2014. Those breaches, however, involved more than 164.4 million records.

    “With ongoing support from IDT911, the ITRC continually tracks and monitors the ever growing number of U.S. breaches in an effort to understand the complex issues behind them," said Eva Velasquez, President and CEO, ITRC.

    Business partner IDT911, provides solutions for preventions, protection services and incident remediation for individuals and businesses complete Identity and Data Breach Defense Services.

    “While the overwhelmingly prevalent motive for data breaches remains financial gain for the thieves, we saw a shift in new motives for obtaining sensitive and private personal data this year. This compromised data can now be used to compel behavior changes in breached individuals and groups. This data is also being used for social justice purposes, and even to embarrass our nation. As the motives for obtaining this data shift, so must our mindset about what we need to keep private, protect, and potentially cease capturing or creating,” Velasquez continued.

    How long is the life span from the impact of a person’s private information being a part of a breach? 

    Those who have experienced a breach, similar to this writer, a minimum of a year. Then hold your breath and hope the person or person(s) who have your personally identifiable information (PII) has not been arrested, or have any warrants out against the individual, especially for violent crimes. Should you be stopped for a traffic violation and your name appears on a police computer screen, you will be explaining, once again, how you have been violated and that you are a victim of identity theft! 

    http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf

    Footnote~

    Ransomware is in the news again. http://www.healthcareitnews.com/news/hollywood.

    January 29th, I published a blog on Ransomware attacks and discussed the comparison of the TV show The Good Wife with a clients’ experience. Both attackers requested $50,000 ransom for the decryption key. 

    Officials at the Hollywood Presbyterian Medical Center stated that they paid $17,000 in ransom to gain control of their data.

    In a letter posted online by hospital CEO Allen Stefanek, the executive said, "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," he wrote. "In the best interest of restoring normal operations, we did this.” Stefanek said the hospital on Monday had regained control over its electronic health record systems. The CEO said there is no evidence that any patient data was accessed by the hackers.  

    The client I referenced had a difference outcome. She hired a company to decrypt her data files without paying the ransom. During the discovery process, it was determined that the outsourced IT company had not regularly backed up the data in order to restore the systems. 

    What happen to Hollywood Presbyterian Medical Center’s data back-up? I am sure that there will be an investigation by the Office for Civil Rights. It appears that there were deficiencies in the required Safeguard Principles of the Privacy and Security Framework of HIPAA. These principles emphasize that the trust in electronic health information can only be achieved if reasonable administrative, technical, and physical safeguards are in place. 

    Hollywood Presbyterian is a covered entity and as so, is required to implement appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI). 45 C.F.R. § 164.530(c). 

    Judith Lindsay, CHP and CEO of JAL Consult tackles all the elements of HIPAA compliance puzzle. Successfully assisting organizations to make sense of it all by implementing the correct policies and procedures that are reasonable and appropriate for their entity. Judith provides consulting, training and is available for speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult