Medical and Genetic Data Targeted in Breaches

A new healthcare data breach is making the headlines.  The subject: the analytics software vendor HealthEC, whose platform is used by more than a million healthcare professionals across 18 states.  The goods: medical records containing the protected health information (PHI) of 4.52 million people, according to a report to the Department of Health and Human Services’ Office for Civil Rights (OCR). 

An investigation reveals that files were removed from HealthEC’s systems by an unauthorized party last July.  Among the patients impacted were those belonging to clients of HealthEC, such as MD Valuecare in Virginia.  Information that was compromised includes Social Security numbers, medical data such as diagnoses, prescriptions and providers. 

As a result of Michigan citizens having to wait too long for notifications in this and another recent breach, the state’s Attorney General has called for new legislation to quicken the process.

Meanwhile, in the continued wake of the 23AndMe incident (as well as other historic breaches like Genelink and Vitagene), the Federal Trade Commission (FTC) has put forth a new guide to secure storage of people’s DNA information.  As the publication emphasizes, “Genetic data reveals sensitive information not only about consumers’ health, characteristics, and ancestry, but also about their families.”  According to complaints in both of these prior cases, neither company encrypted their genetic data or implemented strict access controls.  Moreover, the Vitagene complaint alleged that the company didn’t log or monitor access to the data, heed warnings about the problems, or even have knowledge of just where their data had been stored.  All of these failures led to compromised DNA data, which has now put organizations in this field on notice.

In addition to recommending the usual, but still often ignored, data security practices, the FTC expounds upon expectations that companies collecting genetic data not mislead their customers or misrepresent the facts in an attempt to glean their information.  Consequences for failure can be severe, as demonstrated in the cases of Vitagene or CRI Genetics, which were penalized under California state law and had to pay hefty financial settlements, along with other requirements regarding obtained consent and notification.

When organizations fail to protect their sensitive data, whether through lack of encryption, access controls, or any combination of factors, it puts not just their customers but themselves at risk.  At NetLib Security, our powerful Encryptionizer platform offers secure encryption for stored data across all environments – physical, virtual and cloud.  With no additional programming necessary or detriment to performance, Encryptionizer can help bolster your cyber hygiene and prevent you from becoming the next headline.