Biggest Pediatric Hospital Breach Reported105,000 Affected at Boys Town National Research Hospital
A recent hacking incident at Boys Town National Research Hospital is the largest ever reported by a pediatric care provider or children's hospital, according to the federal health data breach tally. A wide variety of data on some 105,000 individuals, including young patients as well as employees, was exposed, opening the door to potential fraud.
The U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website, commonly called the "wall of shame," lists breaches reported since 2009 that affected 500 or more individuals. The tally now includes about 35 major breaches at children's hospitals or pediatric healthcare providers impacting a total of more than 434,000 individuals.
As of Thursday, the Boys Town Hospital incident also ranked as the eighth largest health data breach posted so far this year.
In a statement, Omaha, Nebraska-based Boys Town Hospital says that on May 23, it became aware of "unusual activity" relating to an employee email account.
The hospital says its forensics investigation confirmed that personal information related to patients as well as employees may have been accessible as a result of the incident.
That data includes name; date of birth; Social Security number; diagnosis or treatment information; Medicare or Medicaid identification number; medical record number; billing/claims information; health insurance information; disability code, birth or marriage certificate information; employer identification number; driver's license number; passport information, banking or financial account number; and username and password.
So far, the hospital says, it has not received any reports of the misuse of this information.
Boys Town National Research Hospital is internationally recognized as a leader in clinical and research programs focusing on childhood deafness, visual impairment and related communication disorders, and has developed national medical programs that are now instituted in hospitals and clinics across the country, according to its website.
The hospital has campuses in Omaha and Boys Town, Nebraska, with a total of 67 acute licensed beds.
Hospital officials did not immediately respond to an Information Security Media Group request for comment, including clarification of how many patients were affected.
The vast amount of information exposed in the breach is troubling because of the potential it will be used to commit fraud.
"There are additional concerns when such sensitive data about children is stolen," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"Most children have not yet established credit histories and won't be getting loans or credit cards for potentially many years from the time of this breach. This makes children's personal data very valuable to the crooks; they know that most people are not monitoring to see if this data is being misused or used for fraud," she says.
This makes it easier for children's data to be used for medical identity theft and fraud, she adds.
"This could ultimately result in incorrect data being incorporated into children's health files, which could have long-lasting safety and health impacts on these already vulnerable children," she notes.
"Just imagine if someone who committed medical identity theft incorporated incorrect information into the child's health records, and a child was subsequently given medicine or treatments that could bring them harm, or even result in their death. Misuse of children's medical data has not only financial impacts, but also very significant social and true life-and-death safety impacts."
Children are especially vulnerable for identity theft because they do not know to watch for the warning signs that can tip you off to the fact that someone is misusing personal information and committing fraud, says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"For example, children are not likely to receive notices from government agencies about applications for benefits using their Social Security number, get a notice from the IRS that they didn't pay income taxes or that the child's Social Security number was used on another tax return or get collection notices or bill for products or services they didn't receive," Holtzman says.
The Boys Town Hospital breach notification does not give a precise explanation of what happened, "but we can surmise the owner of the compromised email account had an easy-to-guess password or became the victim of a phishing scam or other type of social engineering," Holtzman says.
"What we can deduce from Boys Town's explanation is that the owner of the email account was storing some pretty sensitive information about residents and employees using an email program," he says. In many applications, data in email is formatted in plain text. Maintaining such sensitive information in the email account "should have thrown up red flags" when and if Boys Town had performed a comprehensive information security risk analysis, he adds.
Covered entities and business associates should consider taking special precautions to safeguard the PHI of minors, Herold stresses.
"CEs and BAs should be diligent with all PII and PHI, but with children's data ... additional actions should be taken for the sake and safety of the patients, even if they are not explicitly required by HIPAA or other laws."
—Consultant Rebecca Herold
"CEs and BAs should be diligent with all PII and PHI, but with children's data ... additional actions should be taken for the sake and safety of the patients, even if they are not explicitly required by HIPAA or other laws," she says.
"For the sake of children's health, safety and well-being, providers and insurers should establish additional checks for changes to children's records that are out of the ordinary, unexpected or simply do not otherwise make sense. I realize this creates more procedures and work for the providers' staff, but isn't the purpose of a provider to ensure the best well-being of patients?"
Ensuring patient treatments and prescriptions are appropriate and based on accurate data that is verified as being from the actual patient requires data security diligence to support patient safety and care, Herold says.
Holtzman notes that the information compromised in the Boys Town Hospital breach is especially sensitive because it can expose the victims to significant financial fraud or harm to their reputation.
"When collecting this type of sensitive PII, the organization should carefully assess why the information is being collected and minimize access to the data to only those with an appropriate role in the organization," he says. "Do not create unnecessary or duplicative collections of sensitive PII, including information stored on backup servers, network drives or unencrypted drives or applications. Securely delete electronic files containing sensitive PII is no longer needed and where ever it is stored."
Herold notes that organizations need to review their breach response policies and procedures to ensure they include consideration of protecting minors' data. "They also need to provide training to all personnel so they understand the full financial, privacy and patient safety and well-being impacts that breaches involving these types of breaches can have."