Health Net exposed as many as 1.9 million customer records in a breach after its IT vendor misplaced nine server drives. This is the second breach in two years for Health Net when a portable hard drive containing medical and financial information on 1.5 million customers disappeared from a facility in Connecticut.
Lessons Learned: Technology is not the problem..People are the weak link and the solution. Devices are often lost and misplaced due to People not being aware of or not being accountable for the policies and procedures that have been put in place by the organizational responsible for protecting customer information. Organizations must ensure all appropriate personnel, including business associates, third-party vendors and contractors, are aware of and have acknowledged their accountability for appropriate policies and procedures and requirements for protecting sensitive patient data.
CVS Caremark Corp has agreed to pay $17.5 million to resolve claims that it overbilled Medicaid. The case was brought to the Justice Department by a whistleblower in Minnesota, who will receive $2.6 million.
Which makes more sense to you and your bottom line? A) Having employees report illegal and unethical situations internally so your organization can address situations and document them for legal and CYA purposes or B) having employees report illegal and unethical situations to the federal government and then dealing with expensive multi-million dollar fines, spending time and money and resources on repairing reputations and having the whistleblower get paid millions too?
Lessons Learned: Now that the federal government is paying whistleblowers and now that we also have Wikileaks and other public web sites to report to, organizations need to make sure they have a more holistic and comprehensive platform to connect all the dots internally with documentation to prove that your organization can receive tips, investigates tips, takes appropriate actions, alleviates future concerns and documents the entire process.
The HHS Office for Civil Rights is asking for $46.7 million in funding, an increase of $5.6 million over the current level. 76 percent of the new funds will be for increased enforcement of health information privacy and security rules.
Lessons Learned: Increased enforcement of existing and new regulatory requirements are on the way. Is your organization prepared and meeting all compliance requirements for HIPAA/HITECH or are you willing to take your chances? Based on numerous other lessons learned stories in this blog (search the Lessons Learned Blog for your sector or other keywords), getting your compliance program in shape sooner than later makes a lot of sense.
According to Symantec’s Internet Security Threat Report, there were 286 million new threats in 2010 which equals an average of about 783,561 new threats per day. The report also points to dramatic increases in both frequency and sophistication of targeted attacks and continued growth of social networking sites to distribute attacks.
Lessons learned: Your people are under attack…how is your organization keeping your people up to date on new attacks and new threats?