[ISN] Government Report Finds Healthcare Privacy Breaches Rampant

From: InfoSec News (alerts@private)
Date: Tue Sep 05 2006 - 23:08:48 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=192501900

By Thomas Claburn
InformationWeek
Sep 5, 2006

Over 40% of federal health insurance contractors and state Medicaid 
agencies reported experiencing a privacy breach involving personal 
health information in the past two years, according to a Government 
Accounting Office (GAO) report [1] released on Tuesday.

The contractors and agencies collectively have access to medical data 
covering more than 100 million Americans, the report says.

"That's a shocking finding," says Beth Givens, director of Privacy 
Rights Clearinghouse [2], a non-profit consumer advocacy group. "It's 
not only the number of breaches but the sensitivity of the information 
breached."

The GAO report, "Domestic and Offshore Outsourcing of Personal 
Information in Medicare, Medicaid, and TRICARE," examines the role that 
private firms, federal agencies, and state Medicaid agencies play in 
administering three of the nation's largest public health insurance 
programsMedicare, Medicaid, and the Department of Defense's TRICARE 
program.

Beyond noting the pervasiveness of privacy breaches, the report finds 
that the outsourcing of services involving personal health information 
is also common. Over 90% of Medicare contractors and state Medicaid 
agencies and 63% of TRICARE contractors reported some domestic 
outsourcing in 2005, typically involving anywhere from 3 to 20 U.S. 
vendors.

While relatively few organizations sent personal health information 
offshore33 Medicare Advantage contractors, 2 Medicare fee-for-service 
(FFS) contractors, and 1 Medicaid agency said their domestic vendors had 
transferred personal health information offshorethe GAO believes the 
extent of offshore outsourcing may be underestimated "because many of 
the federal contractors and agencies did not know whether their domestic 
vendors transferred personal health information to other locations or 
vendors."

Givens says the report indicates that there's not enough security for 
healthcare records. "These findings certainly don't inspire much 
confidence that sensitive personal information is being adequately 
protected," she says.

The GAO recommends that the privacy breach notification requirements 
that currently apply to TRICARE and Medicare FFS contractors should be 
extended to other Medicare contractors that deal with personal health 
information and to state Medicaid agencies. 

[1] http://www.gao.gov/cgi-bin/getrpt?GAO-06-676
[2] http://www.privacyrights.org/


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Tue Sep 05 2006 - 23:28:10 PDT