How much could a data breach cost your medical practice? Part II

By John Southrey

You may have heard that former President, George H.W. Bush’s personal e-mail account was hacked. And this occurred despite full-time Secret Service vigilance with the highest levels of security. The obvious lesson: no matter how secure you think you are online, complacency is a computer thug’s best friend.

Recently, I was forwarded a link to one of the best case studies I’ve seen about a data breach of electronic protected health information (ePHI). “First-Hand Experience with a Patient Data Security Breach” was written by the president and CEO of the Massachusetts eHealth Collaborative (MeHC). He covers the full spectrum of angst, complexity, and costs of a data breach (described as a vortex) that triggered both state and federal medical privacy and security laws. One of his most poignant quotes — “small practices have little to no idea of the avalanche that can follow from the simple loss of a laptop.”

I’ve distilled the article here:

MeHC was hired by a physician contracting network to help manage the EHR implementation of a number of physician practices. One of MeHC’s laptops was stolen from an employee’s vehicle. The laptop contained unencrypted data from 18 practices and 14,475 patients.

Of the 14,000+ records, 1,000 of them came from seven practices and involved personal information, which “pose[d] a significant risk of financial, reputational, or other harm to the individual affected.” Per federal law, all 1,000 patients had to be notified of the breach and all seven practices had to report to the appropriate state and federal regulators.

Of the seven practices, only one had 500+ potentially compromised records, a breach threshold that requires additional notification to prominent media outlets (i.e., the two largest TV news stations in the area) and the listing of the practice name on the Office of Civil Rights’ web site — aka their “Wall of Shame.”

(Note that on Jan. 17, 2012, the U.S. Department of Health and Human Services (HHS) released its “final rules” on medical privacy and security regulations. The effective date of the Omnibus Rule is Mar. 26, 2013 with enforcement/compliance deferred until Sept. 23, 2013.  Read more about the HHS final rules.

The cost implications of this data breach were significant and MeHC was very fortunate they did not have to pay any regulatory fines and penalties. The total costs to fix the breach were $288,808, of which $161,808 was paid by their cyber liability insurance carrier (less a $25,000 deductible).

Other costs were not covered by MeHC’s cyber insurance such as:

  • media consultants’ time;
  • six hundred hours of staff time to fix the problem; and
  • unspecified costs of reduced efficiency/productivity, adverse publicity, harm to reputation.

Additionally, after the loss was paid by MeHC’s carrier, their cyber liability premium at renewal increased 26% with a two-fold increase in their deductible.

The author offered the following caveats:

“I hope that others can learn from our mistakes…. It turns out that our incident was not that uncommon. According to the OCR database, over 30% of the 372 incidents involving over 500 individuals stemmed from theft or loss of a laptop or other portable device (and that’s only the reported incidents).

Most EHR systems are designed so that medical records are not stored locally on a laptop. Yet, in our investigation of this matter, we found plenty of instances of the EHR saving temporary files locally that were not purged, or of clinical users saving documents locally because they weren’t aware of the risks. While there is no doubt that EHR software should be better designed, and EHR users should be better trained, I wouldn’t bet on it. Put in place policies and technologies as a safety net, just in case software and users don’t do what they’re supposed to.”

It’s all about due diligence and a comprehensive cyber risk assessment. It’s the groundwork for protecting PHI in your custody.

There are a myriad of online resources available to help providers develop compliant PHI privacy policies and procedures and security protocols— although the regulatory complexity and sheer amount of information are overwhelming. That’s why risk management professionals recommend that providers hire competent IT consultants or attorneys with health care industry expertise for assistance.

You can also contact your medical professional liability carrier for assistance. Their risk management professionals can assist you with developing administrative, physical, and technical safeguards for protecting all forms of PHI, including:

  • staff training for handling PHI,
  • reviewing business associate agreements,
  • and conducting a HIPAA Security Risk Analysis.

Conducting a Security Risk Analysis to assess your compliance in protecting ePHI is a requirement for “covered entities” and should be done periodically.