Federal agencies and regulators announced this week that LifeLock will pay $12 million to settle a complaint that it used false and misleading claims in its advertising. $11 million of the settlement will be paid to the Federal Trade Commission (FTC) and $1 million to 35 state attorneys general, all of whom worked together on this case.

The history of aggressive advertising by Lifelock, as well as Experian with their FreeCreditReport.com singing pirate ads, has been aimed at giving consumers a sense that they can prevent them from falling victim to identity theft.

FTC Chairman Jon Leibowitz said in a statement that:

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”

Illinois Attorney General Lisa Madigan concurred by saying:

“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft.”

Unfortunately, this situation illustrates how a company can parlay millions of advertising dollars into a consumer franchise based on fundamentally unsound claims. Certainly a perfect example of where a real consumer need based on a serious problem — identity theft — is being addressed by a organization that isn’t playing straight with the American people.

ID Experts today announced a new and unique solution for data breaches that involve protected health information (PHI) and associated risks of medical identity theft.

With the passage of the HITECH Act last year and the clarifying Rules published by Health and Human Services (HHS), healthcare organizations now face greater scrutiny and higher risks when it comes to patient privacy.

Historically, there has been the perception of a somewhat lax environment relative to the enforcement of HIPAA privacy regulations. With HITECH only just recently becoming enforceable, the first lawsuit has already been filed by the Attorney General of Connecticut against Health Net of Connecticut concerning their delayed response to a data breach incident that occurred months ago. If this is any indicator, the enforcement environment for HITECH is likely to be very vigorous.

With this backdrop, ID Experts created a data breach remediation offering that is tailored to meet the needs of healthcare providers and payers, and their business associates.

Until recently, common practice has been for organizations that have a data breach incident to offer victims a year or two of credit monitoring. Unfortunately, credit monitoring alone is woefully inadequate in helping individuals deal with the risks of medical identity theft and health insurance fraud. With that in mind, ID Experts created FraudStop Healthcare Edition.

FraudStop Healthcare Edition combines several components that help individuals affected by a data breach detect and address the identity theft issues that can result from a data breach. These include:

- Credit montoring

- CyberScan, a tool that scours cyberspace for the buying and selling of personal information including for use in insurance fraud

- Healthcare Identity Protection  Toolkit, a new and unique offering from ID Experts that includes a collection of tools, checklists, resources and guides for assisting an individual in monitoring their medical identity and resolving fraud issues

- Identity theft reimbursement insurance

- Fully managed identity theft restoration services

Together, this package provides the most robust offering in the market today for healthcare providers dealing with data breach risks to assist patients in ensuring their privacy.

If your organization is in the healthcare industry and subject to the HITECH Act, you now have a better and more caring answer for your patients when dealing with occasional, but typically recurring, data breach issues.

An article today in iHealthbeat titled “Innovation Inspired by Economics: 2010 Health IT Forecast” discusses trends and expectations for growth in healthcare information technologies despite the financial issues faced by many US healthcare providers currently.

“Necessity being the mother of invention, a constrained economic environment will lead to health IT innovations in two ways. First, lower cost technologies are emerging in health IT, such as open-source software, software as a service, and cloud computing, all of which will be priced lower than traditional health IT offerings. Cloud computing (the use of the Internet to store, manipulate and deliver data already existing on the Web) is seen by some health IT consultants as a useful tool in health, especially for small medical practices.”

The growth in adoption of electronic health record (EHR) systems, combined with the noted trends towards the use of open source software and cloud computing, combined with a new privacy legislation with steep penalties for breaches in security, creates a “perfect storm” for healthcare with respect to data breach incidents.

iHealthbeat article further notes the evolution of risks and new legal requirements now associated with HIPAA business associates.

“We can expect tougher privacy and security enforcement in health care in 2010 because of new and heftier privacy and security penalties written into the American Recovery and Reinvestment Act. The civil penalty cap will be raised from $25,000 to $1.5 million. This is a major issue for 2010 because nearly 60% of business associates interviewed in a HIMSS Analytics survey in November 2009 were unaware that changes to HIPAA will go into effect in 2010. That’s when consumers are guaranteed ‘prompt access’ to an electronic copy of their health records.”

Everything points toward 2010 being a very interesting year when it comes to patient privacy and data security.

Thanks to Healthcare Professionals Live for highlighting this article and the important questions it highlights.

…I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR… (continue reading)

Through twitter, we connected with the good people at Broadband for America to bring you this article about three common online identity theft myths.

Thanks to identity theft awareness programs, many people are now exercising increased caution when online. Most folks understand the danger in revealing too much personal information on the Internet, or falling for phishing scams. However, there are still some persistent myths that may be keeping you from protecting yourself and your identity. Here we will look at just three of these myths, and the facts that lay behind them.

Myth 1: I know what those scams look like, bad spelling and terrible English- who falls for those things anyway?

Fact: Indeed, many people are familiar with the obvious signs of a scam. So many people are wise to these frauds that scammers have begun to outsource their products and develop corporate-like organizations to work…(continue reading)

Just in…Santa retains ID Experts to provide breach remediation assistance.

In a recent post, I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR.

Based on some encouragement, I was given the name of the responsible person at OCR and emailed to ask about this seeming discrepancy. She was nice enough to provide the following reply from Hannah Stahle, JD, Health Information Privacy Specialist:

“In response to your question regarding the posting of breaches on the OCR website, we have been receiving reports from covered entities of breaches affecting 500 or more individuals since the effective date of the regulation.  We are now in the process of working to establish our web page for posting information regarding such breaches.  Because the breach notification regulation imposed a new reporting requirement on covered entities, which has been in effect for less than three months, we are taking extra care to ensure that all breach notifications we receive are accurate before we post any information on our website.”

It is wonderful to know that covered entities are in fact reporting breach incidents as required, and that HHS is working to ensure that their reporting site is accurate given the sensitive nature of the incidents being reported.

I had also asked about whether there were likely to be changes to the “harm threshold” guidance between now and the issuance of the Final Rule. She again commented that:

“With respect to your question concerning the harm threshold, we are in the process of analyzing the comments we received in response to the interim final regulation and will be developing a final breach regulation in the near future.  The harm threshold generated many comments on both sides of the issue, and we will consider all comments as we begin to develop the policy for the final rule.”

I do believe that there are two issues at play here. One, that it is difficult to expect that a covered entity can make a completely impartial determination as to the level of harm that is represented by a data breach incident, if in fact they have a lot to lose by acknowledging that such an incident did in fact create a threat of harm to those affected individuals. The second, though, is that it would be desirable for the Rules  to be as unambiguous as possible, so that oragnizations do not need to be involved in making “judgment calls” on level of harm caused by incidents.

When holidays around the corner, the amount of fraudulent activity tends to increase. As we all know, the most important aspect of stopping fraud is reporting it immediately. Unfortunately, the holidays also mean that many financial institutions and companies are closed in observation. While many banks provide a 24/7 support year-round for reporting cards lost or stolen, some financial institutions do not. Even if your bank does provide the support, the only record you may have of that phone number may be on the card itself, so if you lose the card or have it stolen you might be at a loss where to call.

Luckily, most debit and credit cards are now backed by Visa or MasterCard. If your card is backed by one of these issuers, you may want to take this number down for emergencies. You know your card is backed if you see the Visa or MasterCard logo on the front.  If you are unable to contact your bank and you have had fraud or lost your card, you can use these numbers to get assistance. The representatives there can either put you in touch with the correct call center to block the card right away, or provide the service directly depending on your bank. In a pinch, these numbers can be essential.

VISA — 1-800-847-2911

1-800-MasterCard (1-800-627-8372)

Keep this information handy, but somewhere other than with your wallet (in case you lose it). I keep a long list of company phone numbers- everything from insurance to credit cards- just in case. These numbers are at the top of my list, and I have used them several times with great success. Be prepared, and all your holiday surprises will be pleasant!

Recently headlines have included the alarming news that the personal login information for thousands of Hotmail accounts was posted online. While an investigation is being conducted, experts have urged anyone with a Hotmail account to change their password immediately. Many experts also recommend that if you use that account in conjunction with other accounts, such as your social networking account, that you change the information used in those accounts as well.

Today, BBC News announced that more email accounts were posted: Yahoo, Gmail, AOL, Comcast, and Earthlink users appear among those accounts impacted. Again, security experts are urging those with accounts to change their login details.

The security implications of this are massive. Right now, news reports are stating that these appear to be the result of a massive phishing attack. On the other hand, it has already been determined that some of the accounts are old or inactive, which may indicate that this particular thief was operating for a long period of time. In any case, changing my password is only a start.  Personally, I will be taking the following additional precautions, and I would make the same recommendation to others. These are extra steps everyone should take at least once a year, or during situations where an account may be compromised:

*Awareness If you have an affected account, make sure all of the people you email know about this story. Everyone should know that if they suddenly get a request from “you” for emergency money to be wired overseas, that it is unlikely to actually be you.

*Change passwords to everything. Many accounts now have an option that you can have your password “expire” prompt you for a new one periodically (usually every 72 days).

*Where possible change your username and “attached” emails to financial accounts and social networking pages.

*Change your security questions and answers. These are the questions asked when you click “I forgot my password”. If there was someone snooping in your email, they probably know you better than your best friend. It is likely they would know the real answers to questions like, “What high school did you go to?” Or “what is your library card number?”

*Check your sent folder in your email to make sure you recognize all the emails that have been sent from your account.

*Be aware that this will likely result in phishing, scam, and spam attacks increasing over the next few months. In addition to the evidence of a likely successful attack, email addresses that were exposed may have been harvested by spam bots.  The upcoming holiday season makes for a great opportunity for criminals to leverage this information against unsuspecting consumers. Expect phishing attacks to appear to come from charities, your financial institutions and government entities.

*Make sure your computer’s security software is updated and automatic updates are turned on and checked weekly, at least.

*Immediately report phishing emails to abuse@domain.com or spam@domain.com. If you receive what is clearly a phishing email from your friend, call them and let them know, then forward the email to one of the reporting addresses for your domain.

*Login to your email, and using the search field type the word “password. Delete any emails you may have received from websites confirming your password change or providing a link to change your password. Then search for “user name” and delete those emails as well. Remember, if someone has access to your email you don’t want to give them ideas about which website or account to try next.

Starting September 23, 2009, healthcare organizations covered by HIPAA and the HITECH Act will be required, in the case of data breach incidents where personal health information (PHI) is improperly exposed, to notify both the individuals affected by the breach as well as the federal government, who will post this information publicly.

The data breach notification provision was an important element of the HITECH Act which is the first federal legislation, in this case targeted at healthcare organiations, that specifies what constitutes as data breach and what notification is required for such incidents. In this case, “breach” is defined as the “unauthorized acquisition, access, use or disclosure of protected health information (PHI).”

An interesting controversy has recently surfaced in the way the Office of Health and Human Services has “interpreted” the HITECH Act breach notification provisions. The Interim Final Rule issued by HHS on August 24, 2009 has specified that a data breach incident of PHI only requires notification if the breach represents a “signficant risk of financial, reputational or other harm to the individual whose PHI has been compromised.”

In the making of this Rule, many in the industry believe that HHS has transcended congressional intent, by adding a “harm threshold” that is to be self-assessed by the organization that has caused the data breach incident.

A recent article in Computerworld titled “HHS guts health-care breach notification law, groups warn” illustrates this disconnect. It quotes Dr. Deborah Peel, founder and chairwoman of Patient Privacy Rights as saying:

“This harm requirement actually violates Congress’ intent in the stimulus bill. This is essentially an industry rewrite of the law. Given the way the law is worded, health-care organizations will have little incentive to own up to a breach involving protected health care data. This is totally for the protection of the industry. It eliminates the consumer protection that Congress intended to be built into it.” She added that her organization will be part of a “giant response” to the proposed change by national consumer protection and privacy organizations.

While the over-notification of individuals for totally benign incidents is not a positive thing, because of the level of concern and anguish that can accompany such situations, what HHS has done in terms of setting a harm threshold allowing self-assessed determination as to whether a data breach incident shoudl be reported seems to give healthcare providers more of a  “get out of jail free card” when incidents occur than what was intended by those who wrote the law.

Independent of how this controvery resolves itself, there is no question that healthcare organizations, starting on September 23rd, must carry out a “risk assessment” whenever an incident occurs that could possibly breach the security and privacy of PHI that they hold. It would be advisable that such organizations have clear policies and processes for such events, and document the analysis and conclusions clearly.