Tag Archives: data disposal

HIPAA Settlement for Improper Disposal of Medical Records

Cornell Prescription Pharmacy, a single-location pharmacy that provides in-store and prescription services, agreed to a settlement with the Office for Civil Rights for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The settlement provides that Cornell pay $125,000 and adopt a corrective plan to fix the holes in its HIPAA compliance program.

The incident in question involved the disposal of documents containing protected health information of 1,610 patients in an unlocked, open container on the organization’s premises. The documents were not properly destroyed or shredded, and an investigation revealed that Cornell failed to implement any HIPAA required policies and procedures. Cornell also failed to provide required training on such policies and procedures to its workforce.

The corrective action plan requires Cornell to implement a set of policies and procedures in compliance with the HIPAA Privacy Rule, and to provide the required staff training on those policies and procedures.

Additional Resources:

  • Link to the Resolution Agreement
  • Link to FAQs from the OCR related to disposal of PHI under HIPAA

Delaware Enacts Data Destruction Law

A Delaware law, effective January 1, 2015, requires safe destruction of business records containing consumer personal information when “no longer to be retained”. The law requires commercial entities conducting business in Delaware to take reasonable steps to destroy their consumers’ “personal identifying information” prior to the disposal of both electronic and paper records. A “consumer” is “an individual who enters into a transaction primarily for personal, family, or household purposes” and “personal identifying information” (“PII”) consists of the consumer’s first name or first initial and last name in combination with any of the following data elements:

  • signature;
  • full date of birth;
  • Social Security number or passport number;
  • driver’s license or state identification card number;
  • insurance policy number;
  • financial services account number, bank account number, credit card number, or “any other financial information;” or
  • confidential health care information.

The law calls for “shredding, erasing, or otherwise destroying or modifying” the consumer PII in a manner that makes it “entirely unreadable or indecipherable.” Exemptions are made for regulated entities, including financial institutions subject to the Gramm-Leach-Bliley Act, consumer reporting agencies subject to the FCRA, and health insurers and health care facilities subject to HIPAA.

Concerns About Data Security in the Legal Profession

Law firms often hold very sensitive information for their clients, including but not limited to intellectual property. The UK Information Commissioners Office ICO has voiced concerns about lack of adequate data protection by firms in the legal profession.

Key Takeaway – apply the same basic privacy and data security principles to law firms you share information with as within your organization. These include only sharing the minimum information needed to get the job done, requiring that sensitive information be destroyed completely or returned when no longer needed, and ensuring that adequate security protections are in place.

Basic Lessons Gleaned from eBay Purchase of Used POS Terminal

The analysis of a used point-of-sale terminal purchased on eBay by an HP researcher serves as a good reminder and illustration of problems that still exist with the configurations of POS devices, and that secure disposal should be applied to more than PCs.

As described in an article from Techworld, Matt Oh, a malware researcher with HP, purchased an Aloha point-of-sale terminal — a brand of computerized cash register widely used in the hospitality industry — on eBay for US$200. On the device he found default passwords (the VNC password was “aloha”), at least one security flaw, and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system. Matt also noted that “The software ran on a slimmed down version of Microsoft’s Windows XP operating system for ’embedded’ devices such as POS terminals. The last time Windows security updates were applied was around March 2007.” Oh said a business was using the Aloha device “less than a few months ago” even though it is years old.

Key Takeaways: Make sure you have covered the security basics for POS devices – these include NOT using default or easily-guessed passwords, keeping the software updated, and securely erasing or destroying such devices before discarding or reselling them.

See Hacking POS Terminal for Fun and Non-profit for more details on Matt’s findings.

NCR, the maker of the Aloha terminal, posted an interesting and useful reply. Among NCR’s comments – “Now more than ever before, business owners should seek professional help when introducing information technology (IT) into their environments, as the complexity of the threats they face is at an all-time high.”

Now more than ever before, business owners should seek professional help when introducing information technology (IT) into their environments, as the complexity of the threats they face is at an all-time high.  Otherwise, using out-of-date systems may lead to a criminal hacking your POS terminal for fun and for their profit. – See more at: http://blogs.ncr.com/hospitality/hospitality/hacking-pos-terminal-funand-criminal-profit/#sthash.F30jp6hx.dpuf
Now more than ever before, business owners should seek professional help when introducing information technology (IT) into their environments, as the complexity of the threats they face is at an all-time high.  Otherwise, using out-of-date systems may lead to a criminal hacking your POS terminal for fun and for their profit. – See more at: http://blogs.ncr.com/hospitality/hospitality/hacking-pos-terminal-funand-criminal-profit/#sthash.F30jp6hx.dpuf
Now more than ever before, business owners should seek professional help when introducing information technology (IT) into their environments, as the complexity of the threats they face is at an all-time high.  Otherwise, using out-of-date systems may lead to a criminal hacking your POS terminal for fun and for their profit. – See more at: http://blogs.ncr.com/hospitality/hospitality/hacking-pos-terminal-funand-criminal-profit/#sthash.F30jp6hx.dpuf

Factory Reset Doesn’t Remove Data on Android Phones

AVAST Software analyzed 20 used smartphones whose previous owners had performed a factory reset or a “delete all” operation on their devices. AVAST was able to recover more than 40,000 personal photos, emails, text messages, and – in some cases – the identities of the sellers.

“The amount of personal data we retrieved from the phones was astounding. We found everything from a filled-out loan form to more than 250 selfies of what appear to be the previous owner’s manhood,” according to Jude McColgan, President of Mobile at AVAST. “We purchased a variety of Android devices from sellers across the U.S. and used readily available recovery software to dig up personal information that was previously on the phones.”

Key Takeaway: A factory reset or a “delete all” operation does not remove data on Android devices. To remove all data, make sure it is overwritten.

 

$800,000 HIPAA Settlement for Medical Records Left in Driveway

Parkview Health System, Inc. has agreed (press release) to pay $800,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.  The Office of Civil Rights (OCR) opened an investigation after receiving a complaint from a retiring physician. In September 2008, Parkview took custody of medical records of approximately 5,000 to 8,000 patients while helping the physician transition her patients to new providers. On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records on the driveway of the physician’s home. In addition to the $800,000 resolution amount, the settlement includes a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR.

Similarly in 2009 CVS Caremark agreed to a $2.25 million settlement and in 2010 Rite Aid Corp. agreed to a $1 million fine for improperly disposed medical information.

Hitting “Delete” Doesn’t Delete

A study commissioned in Australia by the National Association for Information Destruction (NAID), a non-profit, data protection watchdog agency, has found significant amounts of personal information left on recycled computers.The NAID-ANZ Secondhand Hard Drive Study showed that 15 of 52 hard drives randomly purchased contained highly confidential personal information. While seven of the 15 devices were recycled by individuals, eight were recycled by law firms, a government medical facility, and a community centre. “The study is rather simple,” said NAID CEO Bob Johnson. “We randomly purchased 52 recycled computer hard drives from a range of publicly available sources, such as eBay. We then asked a highly reputable forensic investigator, Insight Intelligence Pty. Ltd, to determine whether confidential information was on those drives. The procedure used to find the information is intentionally very basic and did not require an unusually high degree of technical heroics. Had the data been properly erased, it could not have been found.” Information found on the hard drives included spreadsheets of clients’ and account holders’ personal information, confidential client correspondence, billing information and personal medical information.

 

Best practice – ensure processes are in place to securely remove sensitive information from electronic devices (PC’s, servers, laptops, tablets, smartphones and even advanced copiers, printers, and fax machines) before they are disposed of or recycled.

3 Companies Settle FTC Charges of Tossing Sensitive Data Into Trash Dumpsters

Two companies will pay $101,500 to settle Federal Trade Commission charges that they allowed sensitive consumer information to be tossed into trash dumpsters. The FTC charged that PLS Financial Services, Inc. and The Payday Loan Store of Illinois, Inc. failed to take reasonable measures to protect consumer information. Documents containing sensitive personal identifying information – including Social Security numbers, employment information, loan applications, bank account information, and credit reports – were disposed in unsecured dumpsters near several PLS Loan Stores or PLS Check Cashers locations. According to the FTC complaint, these actions violated the FTC’s Disposal Rule and the Gramm-Leach-Bliley Safeguards Rule and Privacy Rule. The FTC further charged violation of the FTC Act by misrepresenting that they had implemented reasonable measures to protect sensitive consumer information.

This is the third time the FTC has charged a violation of the Disposal Rule, which requires that companies dispose of credit reports and information derived from them in a safe and secure manner.