Hopefully this isn't too far afield for the list. I recently got a notification from an organization related to one of the big credit bureaus that my medical information was breached. I contacted that organization, who gave me what I thought was a rather hard time. Evidently that organization has a "branch" who handles that sort of thing for clients, for a fee of course. Without their help, I tracked it back to a medical billing agency agency, who was hacked ... I believe via social engineering. I have no idea of the data was on a mainframe, or what type of computer.
Having worked in the back office of a large bank (If anyone cares, I posted to this and several other groups with my ID from that bank over the years) I got lots of annual training on privacy and HIPAA. They do take it quite seriously. Contacting the billing agency, they referred me to the credit agency's company and refused to talk to me. The doctor's office refused to return my phone calls. I got disgusted over the whole thing, and reported all of them to the US Department HHS. That was all about 6 months ago. I just got a letter back from HHS that they have accepted it and a HIPAA violation and will take action against the doctor's office. I have mixed feelings about doing stuff like this, because doctor's visits are so expensive, largely due to things like malpractice insurance. On the other hand, getting blown off by everybody involved really ticked me off. The doctors, billing and credit agency act like it's no big deal. At very least, I think they're going to find out it may turn out to be an expensive big deal. Date: Sun, 23 Jun 2019 11:34:35 -1000 From: Anne & Lynn Wheeler <[email protected]> Subject: Re: mainframe hacking "success stories"? [email protected] (David Spiegel) writes: > *HIPAA Summary of the HIPAA Security Rule https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html after leaving ibm, did some amount of work with financial industry, including rep on standards committees ... as part of being co-author for the privacy standard ... had number of meetings with fed privacy officers ... also meeting with people behind HIPAA ... there were two that were still around who had originally drafted HIPAA back in the 70s ... and bemoaning how long it took to get passed ... and at the time, the health industry had still managed to block/delay including any penalties for HIPAA privacy&security violations. We had to talk to HIPAA people because there were situations were monthly financial transaction statement could leak information about medical tests and procedures. along the way, had been asked to help word smith the cal. state data breach notification act (1st in the nation). there were several participants heavily into privacy issues and had done detail public surveys and found that the #1 issue was "identity theft" resulting in fraudulent financial transactions (largely as result of breaches). At the time little or nothing was being done about breaches. The issue is that entities normally take security countermeasures in self protection, however in the breach cases, the institutions weren't at risk, it was the public (and the institutions were doing a lot to obfuscate when any breaches occured). It was hoped that publicity from breach notifications might motivate corrective action. I was able to include in the financial privacy standard some of the work that went into the cal. breach notification legislation regarding needing to motivate institutions to protect their customers and the public privacy. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
