Safeguarding PHI from LootersDrugstore Incidents in Baltimore Offer Lessons
The disaster recovery plans of organizations in the healthcare sector typically don't include steps to deal with looting incidents. But the April riots in Baltimore serve as a reminder that unexpected violence can result in health data breaches. And security experts are offering insights on how to minimize risks.
Retail pharmacy chain Rite Aid on June 3 issued a statement to notify the media that an undisclosed number of customers of several of its Baltimore area stores were potentially affected by breaches of their protected health information as a result of the looting and riots that occurred in late April. The riots were triggered by the death of Freddie Gray, a 25-year old African American who allegedly died as a result of injuries to his neck and spine sustained while being transported in a Baltimore police vehicle. His death was later ruled a homicide.
"A number of our Baltimore locations, along with many other Baltimore businesses, were broken into and looted and/or severely damaged as a result of civil unrest," the Rite Aid statement says. "Due to these criminal activities, a number of prescriptions were either damaged beyond recovery or stolen. The stolen prescriptions or prescription information would have contained sensitive information such as patient names, patient address, medication name, and [drug] directions. It is important [to note] that no financial information such as credit card numbers or Social Security numbers was involved."
Rite Aid says there is no evidence yet that any customer information has been misused. But as a precaution, the company has engaged Kroll, a provider of risk mitigation and response services, "to alert impacted customers via a letter of notification and share with them the proactive measures it has taken to guard against identity theft."
Dozens of Pharmacies Impacted
The Rite Aid pharmacies weren't the only ones affected by the looting. Some 27 Baltimore-area pharmacies and two methadone clinics were looted or broken into during the riots, resulting in the theft of "175,000 dosage units" of narcotics, Baltimore police officials said at a June 3 press conference. "There's enough narcotics on the streets of Baltimore to keep it intoxicated for a year," said Baltimore Police Commissioner Anthony Batts, who added that the police department is working with federal investigators on the looting-related criminal cases. More than 80 arrests have been made so far.
Among other pharmacies impacted by the riots were CVS as well as a number of smaller independent pharmacies. CVS did not immediately respond to an Information Security Media Group request for comment.
Reasonably Anticipated Threat?
Incidents involving looting and rioting, as were seen in Baltimore, are generally not on the list of threats for which organizations that handle PHI develop mitigation plans, says security expert Tom Walsh, founder of consulting firm tw-Security.
"For most organizations, the threat 'looting or rioting' is not a reasonably anticipated threat, so I seldom see it addressed in a risk analysis or a disaster recovery plan," Walsh says.
Still, if the threat of violence or crime is higher in some locations, businesses need to consider that in their risk planning, he says. "Regardless of the type of threat, the recovery process would probably be the same," he says. "There may be a few additional steps in the plan regarding involvement with law enforcement. Most plans should already address working with insurance adjusters."
When it comes to physical security, in general, most pharmacies have safeguards in place to protect their inventory, he says. "Drug stores or pharmacies that dispense medications classified as controlled substances usually have adequate physical safeguards and controls," he says. "Safes are used to store controlled substances."
Still, to protect patient information related to those drugs, "organizations should try to follow the HIPAA Privacy Rule's 'minimum necessary' requirement and lock up any papers, labels, and prescription medications, [including those] awaiting to be picked up, after hours," he says. "Hopefully, and workstations or servers used to run the business are encrypted and physically secured. "
While looting incidents are relatively rare, "there are robberies or thefts in pharmacies all the time," notes security expert Mac McMillan, CEO of consulting firm CynergisTek.
"Basic information security principles apply here. This is one area, though, where organizations that are present in areas where this is a real threat [of crime] need to seriously consider encrypting all data, including that in databases and on servers," he says.
"Elimination of paper-based PHI to the absolute minimum would also be prudent as there won't be time to shred or destroy this when a riot is happening," he adds. A "just-in-time labeling approach" for pill bottles by pharmacies can also potentially reduce the risk of PHI being stolen during unexpected thefts or looting, McMillan suggests.
"Having medications such as prescriptions profiled and in bins, as many of pharmacies do to expedite pick-up, means they are going to be at risk when [physical] security fails," he says. "However, if consumers would allow a little inconvenience - meaning a longer wait time to pick up prescriptions - then pharmacies could institute point-of-sale labeling such that they don't create the label until [the customer is] standing right there to pick it up. That would result in far fewer prescription orders with patient information being available if an event occurred. The question is - can consumers stomach a little inconvenience to protect their information?"
A Department of Health and Human Services' Office for Civil Rights spokeswoman highlights HIPAA's relevant requirements. "The HIPAA Privacy Rule requires a covered entity to have in place appropriate physical and other safeguards to protect the privacy of PHI, including reasonable safeguards to protect against any intentional or unintentional use or disclosure in violation of the privacy rule," she notes. "Covered entities are also required to address physical and other safeguards under the Security Rule, which includes standards for a facility security plan."
OCR provides additional guidance on this topic on its website, she notes.
Protecting ID Crimes
To help deter medical ID fraud, Ann Patterson, senior vice president and program director of the Medical Identity Fraud Alliance, suggests that affected pharmacies, especially the larger chains with more sophisticated pharmacy information systems, set up alerts to "flag" refill orders and pick-ups for prescription numbers that were impacted by the lootings.
Those alerts could include reminders for store personnel to ask customers for ID when picking up prescriptions. "Anytime someone is trying to refill or pick up a prescription, it's good to authenticate the ID of that person," she says. "But in the aftermath of lootings and thefts, you really need to do that."
Patterson also suggests that as a precaution, individuals who are notified by the pharmacies about the looting-related breaches should closely monitor their Explanation of Benefits statements from health insurers for suspicious transactions. That includes unfamiliar transactions that might indicate that someone other than the individual has received medical treatment or prescription medicines using the breach victim's ID.
Although identity theft is a concern, Walsh, the consultant, notes, "In my opinion, most looters are trying to grab up as many items as they can that would have a high street value. They are probably more interested in obtaining drugs and general store supplies versus a directed effort to steal PHI."
Still, if looters try to resell stolen computer equipment, "encryption for data at rest - that data stored on the hard drives and portable media - would be the best possible defense" against a breach, he adds.