You are here
As Data Breaches Spread, Providers and Payers Must Prepare
The actions taken by a health care organization in the days, weeks, and months after a security breach can mean the difference between recovery and organizational failure, according to an article on the HealthLeaders Media website.
Three words health care executives dread hearing — “we've been hacked” — are reverberating in hospitals, health systems, and physician groups with growing frequency, the report says.
Last week, Boston-based Partners Healthcare notified 3,300 patients that some information, including names, addresses, dates of birth, telephone numbers, Social Security numbers, and clinical information, had been leaked to hackers. In February, the country’s largest insurance company, Anthem, announced that 80 million member and employee records had been breached.
Most organizations will experience a data breach at some point, says Elizabeth Hodge, a lawyer in West Palm Beach, Florida.
“If you are a health care entity, you should anticipate that you will have breach of unsecured health information at some point,” she says.
The Ponemon Institute, a data security research and consulting firm, found in its annual benchmark study that health care providers experience frequent data breaches involving the loss or theft of patient health information. About 90% of health care organizations were found to have had a data breach within the last 24 months.
Social security numbers, credit card information, and other private data are valuable, but the “crown jewel” for a data thief is a full medical record, which can fetch a criminal as much as $250, according to Larry Ponemon, PhD, founder and chairman of The Ponemon Institute. Often, the information is used to impersonate the victim or to set up a fake identity. A full chart with headers contains personal data, payment information, and often social security numbers, which can be used to obtain medical treatment.
Dealing with a data breach starts by being prepared for it, Hodge says.
“Before the breach ever happens, from a legal and good business planning perspective, you should anticipate that you will have a breach of unsecured health information at some point in your business’ life,” she says.
Insurance may help defray the costs of responding to a breach, but as the Department of Homeland Security confirms, the cybersecurity insurance market is young, and confusion about policy costs and coverage is abundant.
According to regulations in the Health Insurance Portability and Accountability Act (HIPAA) of 1996, organizations have 60 days from the date of discovery of a breach to provide notice to patients that their data have been compromised. “There is an exception for situations where law enforcement has requested a delay in notifying patients beyond that window,” Hodge adds, although those are fairly rare.
While regulations vary from state to state, most require patients to be notified in writing via U.S. mail.
Publicly announcing that there has been a breach can inadvertently make the situation worse if it’s done too soon, Hodge warns. One consequence of announcing a malicious breach prematurely is that it can alert the criminals that they have been discovered, which can foil any opportunity to track them down.
Moreover, an announcement made before the extent of the breach is known can discredit an organization, she says.
Once the public has been made aware of a breach, the next step is to focus on repairing relationships with customers (patients), Hodge says. In the past, it may have been considered a bad idea from a legal perspective to apologize for a data breach, but that is no longer the case.
Hodge believes that refusing to express regret rather than issuing a simple apology is more likely to inspire customer outrage or a potential lawsuit.
Ponemon’s research suggests that she is correct, finding that 43% of customers will return to an organization that leaked their information if they receive a heartfelt apology. In addition, Ponemon and Hodge both suggest offering affected patients free credit-monitoring services and legal assistance should they become victims of identity theft as a result of a breach.
Source: HealthLeaders Media; May 6, 2015.