Medical files found in trash

PORT ST. LUCIE, FL — Police on turned up medical files in a trash bin near University Medical Clinics that contained information that could be used to commit identity theft, a police spokesman said Wednesday.

Police determined the files, which contained information including patient names, Social Security numbers, phone numbers and addresses, had been discarded from University Medical Clinics in the 1800 block of Southeast Port St. Lucie Boulevard, said Officer Tom Nichols, police spokesman.

A man identified by Nichols as a high ranking official with the company indicated an employee had thrown the files way.

“A garbage bag full of medical records is not an oversight,” Nichols said.

Dr. Samuel Sadow, CEO of University Medical Clinics, said Wednesday he didn’t think any patient information had been compromised.

“We’re very concerned about it and we’re doing our own internal investigation,” Sadow said.

Nichols said the records were returned to the office.

Nichols said the files initially were found by a woman acting on an anonymous tip that they’d been discarded. That woman then notified police of her discovery.

(Read original article here)

Shredding Service Fort Lauderdale

MicroShred

Secure Mobile On-Site / Off-Site Document Shredding Company – Fort Lauderdale, Florida

MARYLAND BANK DUMPS IDENTITIES INTO TRASH

ABC2 News – Rodgers Forge, Maryland

ABC2 News investigators recently discovered that an M&T Bank branch in Rodgers Forge, Maryland improperly disposed of documents that should have been shredded. These documents included social security numbers, driver’s license numbers, bank accounts, and other sensitive information that should not have wound up in the dumpster. When contacted by the media M&T stated that the discovery was a clear violation of corporate policy, and pledged to conduct an extensive internal investigation…

Full Story

HITECH RELATED REFERENCE TO NIST SPECIFICATION CAUSING CONFUSION/CONCERN

The Department of Health and Human Services issued guidance related to safe harbors for healthcare providers to avoid mandatory data breach notification.  The guidance states that if computer hard drives are disposed after sanitization meeting National Institute for Standards and Testing (NIST) specification SP 800-88, data breach notification will not be required.  It also states that that destroying paper media in a manner that it “cannot be read or otherwise cannot be reconstructed” provides that same safe harbor. The NIST SP 800-88 specification reference in the HHS Guidance DOES NOT APPLY to paper media within the HHS Safe Harbor Guidance, HIPAA, HITECH or Data Breach Notification.

Unfortunately, because NIST SP 800-88 also contains specifications for paper destruction, which is very small, some HIPAA/HITECH Covered Entities are misinterpreting the HHS Guidance to mandate that destruction specification extends to paper as well. Again, NIST SP 800-88 does not extend to paper media, only to sanitization.

Here is the language as it reads in the Federal Register:

(b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:
(i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
(ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800–88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

It is important to note that none of this is actually a requirement of HIPAA or HITECH—it is simply advice regarding safe harbors for avoiding possible data breach notification events.

Read the Federal Register Reference

(source:http://naidonline.org/)

FLORIDA SHREDDING

MicroShred

Secure Mobile On-Site / Off-Site Document Shredding

SOUTH FLORIDA SHREDDING DIRECTIONS

MicroShred, South Florida, provides both mobile and plant-based destruction of confidential documents. Our mobile shredding units can come to you and shred all sensitive material at your location, under your supervision. Click here to read about our South Florida Shredding Services.

If you are interested in plant-based destruction, you can get directions to Florida’s Document Shredder MicroShred Inc. from the following places :

All directions are from South Florida going to:
MicroShred Inc.
19593 NE 10th Ave.
Miami, FL 33179-3577, US

We also provide Shredding Services to the following areas:

• Atlantis
• Boca Raton
• Boynton Beach
• Briny Breezes
• Broward County
• Cloud Lake
• Deerfield Beach
• Delray Beach
• Fort Lauderdale
• Glen Ridge
• Golf
• Greenacres
• Gulf Stream
• Haverhill
• Highland Beach
• Hypoluxo
• Juno Beach
• Jupiter
• Jupiter Inlet Colony
• Lake Clarke Shores
• Lake Park
• Lake Worth
• Lantana
• Loxahatchee
• Manalapan
• Miami-Dade County
• Miami
• Palm Beach
• Palm Beach Gardens
• Pompano Beach
• West Palm Beach

NAID TO KEEP CLOSER TABS ON BREACH NOTIFICATION CASES

With HIPAA Covered Entities and Business Associates now subject to data breach notification requirements of HITECH, NAID Members will see the association more closely following and reporting on related issues.

Recently, Aetna Casualty was forced to notify 65,000 current and former employees, sending each a letter wherein the company admitted its role and described the nature of the data breach.  The company’s online job application site was breached, which only became apparent earlier this month when affected individuals began receiving suspicious emails soliciting personal details.  The site reportedly contained the Social Security Numbers of the 65,000 people who were notified.

A class action suit has already been filed against Aetna related to this incident, which is just one of the consequences of what is coming to be known as Breach Notification Fallout.

The upcoming edition of NAIDnews (June 2009) contains a thorough examination of the impact of breach notification and why it is among the most feared of all the new HIPAA/HITECH provisions.

Full Article

Corporations Still Unfamiliar with Laws Governing Information Privacy

A recent survey reveals that while corporations are spending more money in an effort to safeguard personal information, many corporate leaders say they are unfamiliar with key federal and state laws governing information privacy.

The survey, conducted on behalf of Boston-based Iron Mountain, targeted companies with annual revenue of at least $750 million. The survey polled 115 business professionals involved in or responsible for information privacy at publicly held companies.

According to the survey’s findings, companies believe they’re more familiar with federal requirements for information destruction than they actually are. While nearly three in four respondents (74 percent) express familiarity with federal requirements, fewer than one in three (30 percent) are aware of the Federal Trade Commission’s Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule. The FACTA Disposal Rule mandates that organizations properly dispose of documents containing consumer information through methods such as burning, pulverizing or shredding so that the “information cannot practically be read or reconstructed.”

The survey also reveals that nine in 10 companies outsource their shredding, while more than half (57 percent) also rely on on-site commercial-grade shredding or incineration equipment. But fewer than one in four report compliant destruction of consumer information (24 percent) or audit-compliant policies and procedures (23 percent) based on best industry practices.

Two in three companies (66 percent) say it has become more important to formalize policies and procedures for destroying sensitive information. Those companies cited new laws (63 percent), negative press of data losses (43 percent), customer demand for information security (29 percent) and pressure from industry groups (28 percent) as the top reasons why.

(Source: sdbmagazine.com)

11 People Charged In TJX Identity Theft Case of 45+ Million Personal Identities

11 people, including even a confidential informant working for the Secret Service, were charged in connection with a case involving illegally tapping into the wireless payment processing systems of the following retail outlets:

• TJX (TJ Max)
• OfficeMax
• Boston Market
• Barnes & Noble
• Sport’s Authority
• DSW
• Forever 21
• BJ’s Wholesale Club

Besides tapping into the wireless networks of these major retailers, the thieves were successful in setting up programs that captured card numbers, passwords and account information from a massive amount of unsuspecting consumers.

While TJX admitted to 45 million consumers were negatively impacted from the two year period the identity thieves had unauthorized access to their payment processing data, court documents revealed the real estimate was closer to 100 million consumers confidential data was compromised based on depositions by Visa and Mastercard.

The ring leader, a Miami man who was also the confidential informant for the Secret Service, turned out to be a double agent who had been providing criminal’s information about ongoing investigations and tipping off associates.

With the massive amount of credit account access information stolen and provided to worldwide identity thieves, this case involving TJX has a big impact in our personal identity and financial safety.

The Secure Shredding Industry’s Almighty Certificate of Destruction

In the professional shredding industry there is a document known as the Certificate of Destruction which is given to customers utilizing shredding companies as “proof” that documents have been destroyed. While these COD’s are used by virtually all shredding companies, the similarities end there. There is no universal form for a COD, which can create confusion for you, the consumer, when shopping for a reputable shredding company. Just what does the COD mean anyway? Probably not what you thought it meant.

Many shredding clients mistakenly take the COD as proof that they have washed their hands of any liability for the documents that are being destroyed. Unfortunately, this is logistically impossible, for many reasons. Even if a COD is itemized, listing, say, all employee records from 1990-1995, it is obviously impossible for the shredding contractor to know for sure whether each and every employee record for that time period was included in the documents he was given. And shredding companies don’t pretend to know that either.

A standard clause in contracts for all NAID members (National Association for Information Destruction, which every reputable shredding company should be a member of) clearly states that itemized lists of materials submitted for destruction are not proof that such documents were actually included in the materials submitted. This clause protects the shredding company, but it also protects the consumer, because it is eliminating any false notions that the COD is in itself proof that particular documents were destroyed. The clause goes on to state that if specific proof is needed, special arrangements need to be made in advance, with special terms and fees.

So what, then makes up a good COD, and what should you look for when selecting your shredding service? Here are some excellent qualities of a Certificate of Destruction :

• A unique serial or transaction number
• A clear statement of the terms and conditions
• Statement of fiduciary responsibility
• The date and location of the destruction of materials
• The witness to the destruction (a signature, which could be another employee or representative of the shredding company, or representative of the client if they wish).

What does all of this mean? Do Certificate of Destructions provide any protection to the consumer? Actually, they are very important documents that protect both the contractor and the consumer, by stating upfront what is and what is not a responsibility of the shredding company. And ultimately, it all leads back to this: choosing a reliable, reputable shredding company provides you not only with excellent service, but peace of mind as well.

Information Protection Is A Vital Issue To Senior Management

In a survey conducted by the Conference Board, top executives from 300 companies ranked the security of company records as one of the top five critical issues facing business. When asked which issues required immediate attention and policy development, the security of company records ranked second only to employee health screening.

Contact MicroShred Inc. Florida today to handle all your confidential shredding needs.