According to Modern Healthcare, Indiana Attorney General Gregory Zoeller (R) filed a lawsuit recently against health insurer WellPoint regarding a breach of customer information affecting more than 32,000 individuals.

The suit alleges that WellPoint — the largest health insurance company in the nation — failed to meet state rules to alert policyholders about the breach in a timely manner (Conn, Modern Healthcare, 11/1).  

The personal information exposed via a WellPoint website included Social Security numbers, financial information and health records. The breach lasted at least 137, from October 2009 to March 2010. 

Read more about the breach details.

 The October healthsystemCIO.com SnapSurvey indicates that nearly 80 percent of CIOs are confident in their security prevention measures, response plans and documentation processes. 

Still, according to Anthony Guerra, follow up comments indicate that although CIOs have taken reasonable measures, they don’t feel comfortable declaring their organizations impenetrable. 

Read more. 

 Have you been a patient in a Texas hospital in the last ten years? Chances are high that the details of your stay didn’t stay at your hospital, or even in Texas. The Texas Department of State Health Services (DSHS) has sold or given away hospital patient data on more than 27 million hospital stays since 1999, according to a report by the Austin Bulldog, a nonprofit investigative journalism organization.

Attorney Jim Harrington, director of the Texas Civil Rights Project, told the Bulldog, that DSHS data sales represent a "wholesale invasion of families’ medical privacy" and a "shocking breach of people’s constitutional rights."
DSHS makes public use data files available through its website. The data files contain more than 200 kinds of information, naming your insurance coverage, whether the stay involved placement of a heart stent, sterilization, abortion performed due to rape, and any tests or medications you may have received.

Read more at Fierce Healthcare. 

 The stories just keep getting scarier — Fierce Healthcare reported that a Johns Hopkins Hospital employee stole names, social security numbers, birth dates and addresses from patients, then gave the information to friends who got  "instant credit" at stores to buy more than $600,000 in merchandise, alleged federal officials in an indictment issued Friday.

A federal grand jury indicted Jasmine Smith from Johns Hopkins and four others for fraud and aggravated identity theft charges, according to an announcement by Maryland District U.S. Attorney and other officials. 

How can you stop something like that from happening at your facility?

 A recent article on HealthLeaders Media covered how the HITECH Act brings to light how much more the healthcare industry must do to protect patient privacy. If you refer the the Office for Civil Rights (OCR) breach notification website, you can see the 116 breaches affecting 500 or more individuals. It’s great that this information is publicly available, allowing healthcare organizations to see the mistakes being made; maybe it can help prevent future issues. 

HITECH revamps the HIPAA privacy rules and increases penalties and public scrutiny for violators, but the best way it has been applied may be in Connecticut. The new powers granted to state attorneys general really enabled Connecticut AG Richard Blumenthal to pursue Health Net and change how the state’s insurance department handles breach notification. 

Can you think of other ways HITECH has been proven?

Read more at HealthLeaders Media.