1 / 19

Breaches

Breaches. Breach vs. Security Incident. A security incident is an actual or suspected occurrence of:

Download Presentation

Breaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Breaches

  2. Breach vs. Security Incident A security incident is an actual or suspected occurrence of: Damage, destruction, unauthorized access or disclosure of Department equipment or information. Theft, or even attempted theft, or loss of Department equipment or information. Fraud, embezzlement, misuse or inappropriate use of state property. Apparent detection of a computer virus on a state computer. Simply put, theft of a computer or other IT equipment or device is a security incident that must be reported to the Information Security Office (ISO) immediately! If PHI/PCI/sensitive information was present, the incident is also a breach of confidential information. It must then be escalated to the Department’s Privacy Office. The Privacy Office is responsible for directing notification to the individuals whose information was breached.

  3. Security Incident Reporting State policy requires Departments to follow specified notification and reporting processes when information security incidents occur. “…It is Department policy to maintain a record of security incidents and breaches and employ security measures that preserve the privacy of confidential, personal, or sensitive information and prevent the release or destruction of confidential, personal, or sensitive information through theft, loss, damage, unauthorized destruction or modification, unintentional or inappropriate release, misuse, accident, sabotage or other criminal activity, or natural disaster.” What do you do if you encounter an incident (or even suspect it)? • Contact your supervisor immediately!HAM 6-1060.1 requires…”Department employees shall, in the most expedient time possible and without unreasonable delay, report any suspected or confirmed incident to the employee’s Division Chief via the employee’s chain of command”… • If you are the supervisor, or your supervisor is not available call the IT Help Desk and open a Remedy ticket. (See Website Reference page at the conclusion of this training).

  4. What is a Breach? • A “breach of the security of the system”: • Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” AND • Must be disclosed to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

  5. Examples ofPaper Breaches • Misdirected paper faxes with PHI/PCI outside of DHCS • Loss or theft of paper documents containing PHI/PCI • Mailings to incorrect providers or beneficiaries Unauthorized isclosure

  6. Examples of Electronic Breaches • Stolen, unencrypted laptops, hard drives, PCs with PHI/PCI • Stolen, unencrypted thumb drives with PHI/PCI • Stolen briefcases with unencrypted compact discs containing PHI/PCI • Misdirected electronic fax with PHI/PCI to person outside of state government Unauthorized isclosure

  7. California Anti-Identity Theft Law LEGISLATIVE HISTORY • Senate Bill 1386(Peace; Chapter 915, Statutes of 2002) otherwise known as the California Security Breach Notification Act requires state agencies and other entities that maintain personal information in computerized form to notify residents of California in the event of an unauthorized acquisition of computerized data. • California Adds Medical Identity Theft to the State Breach Notification Law • Assembly Bill 1298(Jones; Chapter 699, Statutes of 2007) expands California’s Security Breach Notification Act from a financial identity theft law to a medical identity law effectiveJanuary 1, 2008. AB 1298 adds two new categories of breach triggering information: • Medical information: defined as the individual’s medical history, treatment or diagnosis; mental or physical health condition • Health information: health insurance policy or subscriber number, application and claims history, as well as appeals records

  8. Timing • California law requires the notice be made “in the most expedient time possible and without unreasonable delay.” • Time may be allowed for needs of law enforcement, if the notification would impede a criminal investigation

  9. Contractors & Business Associates • Any person or business that maintains computerized data the person or business does not own must notify the owner or licensee of the information of any breach of the security of the system immediately following discovery • Notification requirements should be written into contracts and Business Associate Agreements (BAAs)

  10. Office of Privacy Protection Notification Recommendations • Notification letter: Advise individuals of steps they can take to protect themselves against possibility of identity theft. • Recommend contacting the three credit reporting agencies: Equifax, Experian, and Trans Union. • If find suspicious activity on credit reports, call your local police or sheriff and file an identity theft report. • Contact DMV (Fraud Hotline: 866-658-5758) to place fraud alert on your driver’s license • California Office of Privacy Protection Recommendations available at: www.privacy.ca.gov.

  11. Reporting Privacy Breaches(HAM Section 1060.1) • DHCS employees and business associates must take immediate action and report all Privacy Breaches to: • Your Supervisor • DHCS Privacy Officer • Information Security Officer • Do Not Delay in reporting suspected privacy breaches by completing your own internal investigation. • Privacy Breaches DO NOT include: • Misdirected mail within DHCS • Emails transmitted from outside DHCS to wrong email within DHCS or unencrypted email.

  12. Breach Written Report A completed written breach report to the DHCS Privacy Office is required within 15 working days of discovery of a breach: • Incident details and description – including: • What data elements were involved and the extent of the data involved. • How many Medi-Cal beneficiaries were affected • If this was an electronic breach, whether the device was encrypted • Cause of Incident or probable cause • Impact of Incident -potential misuse of data, identity theft, etc. • Whether Civil Code sections 1798.29, 1798.82, or any other federal or state laws requiring individual notifications triggered • Mitigation - steps to reduce harmful effects, i.e., notification of members. • Corrective Action Plan - steps to prevent reoccurrence, such as retraining of staff or creation/revision of procedures • Additional information – such as notification to other facility’s units or Fraud Prevention and/or police, licensing boards, etc.

  13. Privacy Investigations DHCS investigates all alleged breaches reported by its employees, staff of its business associates, individual program beneficiaries or other persons and will work to resolve the issues raised in order to safeguard individuals' confidential information and improve the DHCS business systems and practices.  The Privacy Officer determines the appropriate level of response to mitigate potential harm and corrective action necessary when the DHCS is made aware of a privacy breach. 

  14. Consumer Protection

  15. Fraud Alerts!Civil Code Section 1785.11.1 SB 168 (Bowen; Chapter 720; Statutes of 2001) established fraud alert to warn banks/potential creditors that person may be victim of Identity Theft. • Requires credit bureau fraud/security alert within 5 business days of consumer request at no cost to consumer. • Contact three credit reporting agencies: Equifax, Experian, and Trans Union at toll-free number available 24/7. • Fraud alert lasts 90 days with right to request a renewal. • Business must take reasonable steps to verify identity of consumer by contacting consumer before extending credit

  16. Credit FreezeCivil Code Section 1785.11.2 Fraud alerts may be ignored by some creditors. To further guard against identity theft, California law allows consumers to place a security “freeze” so the credit file cannot be shared with potential creditors. • No cost with a police report filed for victim of identity theft, otherwise $10 for each credit bureau ($30). • Freeze may be lifted to obtain credit with a specific creditor while the freeze is in place. • Credit bureau must respond within three business days. • Credit freeze is in place until consumer requests that it be removed. • Freeze may be temporarily lifted by a consumer.

  17. Free Credit Report One of the best ways to protect from identity theft is to monitor your credit history. • The federal Fair Credit Reporting Act (FCRA) requires the nationwide credit reporting agencies to provide a free copy of their credit report upon request every 12 months. • You may obtain your free copy of your credit report by: • Calling toll free at: 1-877-322-8228 • The three credit bureaus have set up one central website at: https://www.annualcreditreport.com/cra/index.jsp. Note: beware of other sites that may offer “free” credit reports that may charge for other products.

  18. Breach/Unauthorized Disclosures Contacts Privacy Officer E-mail: privacyofficer@dhcs.ca.gov Phone: (916) 440-7750 FAX: (916) 440-7710 Information Security Officer E-mail: iso@dhcs.ca.gov Phone: (916) 440-7000 or (800) 579-0874

  19. Federal Stimulus Bill Includes New Mandatory Breach Notifications American Recovery and Reinvestment Act of 2009 (AARA); H.R. 1; Public Law 111-5; Signed into law by President Obama on 2/17/09. Title XIII of AARA, under provisions of the HITECH ACT, Subtitle D: Privacy – Sec. 13402 entitled, “Notification in the case of Breach” contains new privacy breach notification requirements for covered entities under HIPAA: Requires notification within 60 days for a privacy breach involving HIPAA covered PHI. Requires notification to the U.S. Department of Health & Human Services and media outlets for privacy breaches impacting 500 or more individuals. Breaches of less than 500 must be logged and provided to HHS annually. Authorizes state attorney generals to bring suit for HIPAA violations.

More Related