The history of aggressive advertising by Lifelock, as well as Experian with their FreeCreditReport.com singing pirate ads, has been aimed at giving consumers a sense that they can prevent them from falling victim to identity theft.

FTC Chairman Jon Leibowitz said in a statement that:

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”

Illinois Attorney General Lisa Madigan concurred by saying:

“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft.”

Unfortunately, this situation illustrates how a company can parlay millions of advertising dollars into a consumer franchise based on fundamentally unsound claims. Certainly a perfect example of where a real consumer need based on a serious problem — identity theft — is being addressed by a organization that isn’t playing straight with the American people.

Over six months in 2009, 12,500 mobile devices were left in taxis. And 4,500 USB “thumb” drives were left in pants pockets that were then set to the cleaners. And the vast majority of these devices did not use data encryption.

What makes this so damaging to the organizations that employ these individuals, is that one-third of healthcare professionals maintain patient data on their mobile devices – smartphones, laptops and removable media such as memory sticks.

Now that the data breach provisions of the HITECH Act our open to enforcement, such incidents may cost the healthcare provider up to $1.5 million. Quite a sum for a simple momentary lapse or accident.

This article, and the related study, highlights the importance for healthcare providers to evaluate the risk factors for non-malicious identity data loss. These types of risks are often overlooked, or at least prioritized at a lower level, by security professionals because of the tendency to focus on technology solutions for data security. Or in lieu of technology, to rely on policies.

While I suspect most healthcare providers have policies to inhibit professionals to storing patient data on their laptops, moving it from one location to another with a thumb drive, or viewing it on a smartphone, as a practical matter, these do not appear to stand in the way of progress. And progress of this sort creates risks that organizations must acknowledge as a first step towards understanding how to manage them.

With the passage of the HITECH Act last year and the clarifying Rules published by Health and Human Services (HHS), healthcare organizations now face greater scrutiny and higher risks when it comes to patient privacy.

Historically, there has been the perception of a somewhat lax environment relative to the enforcement of HIPAA privacy regulations. With HITECH only just recently becoming enforceable, the first lawsuit has already been filed by the Attorney General of Connecticut against Health Net of Connecticut concerning their delayed response to a data breach incident that occurred months ago. If this is any indicator, the enforcement environment for HITECH is likely to be very vigorous.

With this backdrop, ID Experts created a data breach remediation offering that is tailored to meet the needs of healthcare providers and payers, and their business associates.

Until recently, common practice has been for organizations that have a data breach incident to offer victims a year or two of credit monitoring. Unfortunately, credit monitoring alone is woefully inadequate in helping individuals deal with the risks of medical identity theft and health insurance fraud. With that in mind, ID Experts created FraudStop Healthcare Edition.

FraudStop Healthcare Edition combines several components that help individuals affected by a data breach detect and address the identity theft issues that can result from a data breach. These include:

- Credit montoring

- CyberScan, a tool that scours cyberspace for the buying and selling of personal information including for use in insurance fraud

- Healthcare Identity Protection  Toolkit, a new and unique offering from ID Experts that includes a collection of tools, checklists, resources and guides for assisting an individual in monitoring their medical identity and resolving fraud issues

- Identity theft reimbursement insurance

- Fully managed identity theft restoration services

Together, this package provides the most robust offering in the market today for healthcare providers dealing with data breach risks to assist patients in ensuring their privacy.

If your organization is in the healthcare industry and subject to the HITECH Act, you now have a better and more caring answer for your patients when dealing with occasional, but typically recurring, data breach issues.

These include:

- Customer/patient/client churn rate, the tendency for a data breach event to cause them to “vote with their feet” and choose another provider, remains the key cost driver for data breach incidents. Such lost customer costs are typically 2/3rds the cost of a data breach. Industries that exhibit the highest churn rates are healthcare, pharmaceuticals and communications (all 6%).

- Almost half (44%) of organizations outsourced the data breach response effort to an expert third party consultant. When outsourced in this way, the costs per victim declined a huge 26% vs. companies that “go it alone”. The ability to reduce costs by outsourcing the response process is counterintuitive to some, but validates the value of an outside consultant that is knowledgeable and can execute using best practices

-  “Companies that notify too quickly may incur higher costs”. This was surprising to me. The study found that these “quick responders”, organizations that notified within one month of detection of the breach, ended up paying 12% more than their peers. The assumption was that moving too quickly through the process causes inefficiencies that can be avoided.

As always, the study and report is full of valuable and interesting data and perspective for privacy, information security,  legal and financial officers. It is a “must read” for anyone in a relevant role at an organization that is entrusted with PII and PHI, especially the CISOs who are most frequently the organizational members responsible for the handling of data breach incidents.

“Sadly, this lawsuit is historic — involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said. “Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months — most likely by thieves — before Health Net notified appropriate authorities and consumers. These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft. The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers. Failing to protect patient privacy blatantly violates federal law and Health Net’s public trust. We are seeking a preliminary order to protect patients and consumers, and will fight for civil penalties.”

It is likely this while this is a first, that it is the beginning of a new era for healthcare organizations and the expectation that they will take the privacy obligations of their patients seriously.  While unfortunate, this situation illustrates that some healthcare organizations require stronger motivation to both protect patient information as well as to follow good sense and legal requirements to promptly notify individuals if there has been a breach of their information that may put them at risk.

“In 2009, PrivacyRights.org reports that there were 46 breaches of PHI representing nearly 80M records.  Note that 76M of those records were from the VA that inadvertently sent one of its RAID drives out for repair without cleansing it of those 76M records of veterans.  If you can’t trust the government to keep your PHI safe, who can you trust?”

Now I must admit, I would never have suggested that it is reasonable to assume that the government is good at maintaining privacy of personal information that they collect on American citizens. But it is reasonable to assume that as more protected health information (PHI) is collected, stored, shared and manipulated in computer systems at healthcare providers and payors, that the risk of exposure, and the subsequent number of data breach incidents, will rise.

So it really does make for an interesting thought, do I trust my doctor and hospital with my health data? Do I trust my health insurer with my health data? How about my pharmacy? Like it or not, I don’t have much choice but to provide them with or allow them to access my PHI.

But I do have a choice as to whether I should entrust Microsoft or Google with this sensitive information. Both companies have built systems “in the cloud” that allow consumers to centralize their personal health history. Microsoft HealthVault is designed to let us “collect, store, and share health information critical to our family’s well-being” and Google Health allows us to “organize our health information all in one place, gather our medical records from doctors, hospitals, and pharmacies, and share our information securely with a family member, doctors or caregiver.”

Microsoft has made HealthVault quite “open”,enabling organizations such as providers, payors, pharmacies and others to create applications for individuals to import information that they hold on us into our HealthVault account. I setup a HealthVault account, to see how this worked. Unfortunately, neither my national pharmacy chain nor my health insurer were on the list of those who make such information “exportable” to HealthVault.

Assuming that my trusted providers, insurer and pharmacy do provide such export capabilities in the future, it still leaves me with a nagging concern: do I really trust Microsoft to hold my entire medical life history? While I’d love to have all of this information in one place, and to be able to make it available to healthcare providers that I may wantto see in the future, the thought of entrusting this to anyone is daunting, not the least of which a company who’s software is a constant target for viruses, worms and malware of all kinds.

So for now, I probably won’t start trusting my medical history to either Microsoft or Google.  My health data will be remain somewhat safe with doctors, an insurer and a pharmacy, and numerous business associates of their that I don’t even know by name, that I hope I can trust. But given the number and scope of data breaches the last year or so in healthcare, I’m not really feeling very confident about my healthcare data privacy at this moment.

“Necessity being the mother of invention, a constrained economic environment will lead to health IT innovations in two ways. First, lower cost technologies are emerging in health IT, such as open-source software, software as a service, and cloud computing, all of which will be priced lower than traditional health IT offerings. Cloud computing (the use of the Internet to store, manipulate and deliver data already existing on the Web) is seen by some health IT consultants as a useful tool in health, especially for small medical practices.”

The growth in adoption of electronic health record (EHR) systems, combined with the noted trends towards the use of open source software and cloud computing, combined with a new privacy legislation with steep penalties for breaches in security, creates a “perfect storm” for healthcare with respect to data breach incidents.

iHealthbeat article further notes the evolution of risks and new legal requirements now associated with HIPAA business associates.

“We can expect tougher privacy and security enforcement in health care in 2010 because of new and heftier privacy and security penalties written into the American Recovery and Reinvestment Act. The civil penalty cap will be raised from $25,000 to $1.5 million. This is a major issue for 2010 because nearly 60% of business associates interviewed in a HIMSS Analytics survey in November 2009 were unaware that changes to HIPAA will go into effect in 2010. That’s when consumers are guaranteed ‘prompt access’ to an electronic copy of their health records.”

Everything points toward 2010 being a very interesting year when it comes to patient privacy and data security.

…I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR… (continue reading)

Thanks to identity theft awareness programs, many people are now exercising increased caution when online. Most folks understand the danger in revealing too much personal information on the Internet, or falling for phishing scams. However, there are still some persistent myths that may be keeping you from protecting yourself and your identity. Here we will look at just three of these myths, and the facts that lay behind them.

Myth 1: I know what those scams look like, bad spelling and terrible English- who falls for those things anyway?

Fact: Indeed, many people are familiar with the obvious signs of a scam. So many people are wise to these frauds that scammers have begun to outsource their products and develop corporate-like organizations to work…(continue reading)