Walter Reed admits breach of patient information

By Robert Westervelt, News Editor 03 Jun 2008 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The information did not contain any protected health information such as medical records, diagnosis or prognosis for patients. Col. Patricia Horoho commander, Walter Reed Health Care System

Hospital officials said they were notified of the data breach May 21 by an outside company. Few details are available, but investigators say the information may have been disclosed via a peer-to-peer (P2P) network.

"Preliminary results of an ongoing investigation have identified a computer from which the data was apparently compromised," the hospital said in a statement.

In a message on the Walter Reed website, Col. Patricia Horoho, commander of the Walter Reed Health Care System, shed some light on how the information was compromised.

"I need everyone to ensure that they are not loading or downloading programs that are not authorized by the command, as it increases our vulnerability and possibly can cause a breach in protected information being shared," Horoho said.

The message was addressed to Team WRAMC and was posted on the Walter Reed website this morning, but has recently been removed.

Organizations have a number of ways to monitor employees and detect the use of unauthorized programs on the network. Standard firewall rules can be put in place to detect P2P traffic and intrusion prevention systems can be tuned to see P2P protocols and other similar activity on the network, said Phil Hochmuth, a senior analyst at Boston-based Yankee Group.

P2P risks: Do P2P networks share the same risks as traditional ones? Although P2P networks have their benefits, organizations still need to be careful with the peer-to-peer technology. IM/P2P threats surge ahead: Malicious attacks against IM and P2P programs have surged since the start of the year, a consortium said in a new report.

"P2P is a direct conduit out of your organization that is hard to monitor through which personal data can easily move," Hochmuth said. "It's potentially a giant hole punch in your network perimeter."

Still, some traditional inspection and monitoring technologies have trouble detecting unauthorized programs. For example, data transmissions of the P2P service, Skype are often hard to detect, Hochmuth said.

"They're more dynamic and move very easily from port to port," Hochmuth said.

It's unclear what kind of information may have been leaked at Walter Reed. The hospital is notifying each individual named in the file and offering credit monitoring assistance.

The Health Insurance Portability and Accountability Act (HIPPA) protects patients from unauthorized release of their health records.

"The information did not contain any protected health information such as medical records, diagnosis or prognosis for patients," Horoho said.

The federal government has had issues in the past with lost and stolen laptops compromising sensitive information.

In 2006, an employee at the Department of Transportation (DOT) lost a laptop containing 133,000 drivers' and pilots' records last summer. The information was believed to have been taken from a government vehicle. That same year, the Department of Veterans Affairs (VA) acknowledged a data security breach involving a desktop computer compromising the personal information of thousands veterans.

Tags: HIPAA and other healthcare compliance requirements,  Data retention and compliance software,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA and other healthcare compliance requirements Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda Record locator service a step to health information exchange FTC pursuing HIPAA violations as a matter of consumer protection New HIPAA data breach notification rules put health industry on notice Data retention and compliance software Data loss prevention technology matures but is still no cure-all Record locator service a step to health information exchange Be ready for electronic discovery with a records retention policy Discovery process puts onus on electronic records management tools Voices from RSA: CA's Dave Hansen on compliance strategy Biometric security data adds layer of privacy compliance risk Hacked dental school server compromises 300,000 Data center virtualization: Four steps to compliance Google amends log retention rules, privacy advocates respond Clearwell makes its electronic discovery search more transparent

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary