The Ponemon Institute released their 5th annual 2009 Annual Study: Cost of Data Breach last month.  This year, the report explored several new areas and came up with some interesting and in some cases surprising conclusions.

These include:

- Customer/patient/client churn rate, the tendency for a data breach event to cause them to “vote with their feet” and choose another provider, remains the key cost driver for data breach incidents. Such lost customer costs are typically 2/3rds the cost of a data breach. Industries that exhibit the highest churn rates are healthcare, pharmaceuticals and communications (all 6%).

- Almost half (44%) of organizations outsourced the data breach response effort to an expert third party consultant. When outsourced in this way, the costs per victim declined a huge 26% vs. companies that “go it alone”. The ability to reduce costs by outsourcing the response process is counterintuitive to some, but validates the value of an outside consultant that is knowledgeable and can execute using best practices

-  “Companies that notify too quickly may incur higher costs”. This was surprising to me. The study found that these “quick responders”, organizations that notified within one month of detection of the breach, ended up paying 12% more than their peers. The assumption was that moving too quickly through the process causes inefficiencies that can be avoided.

As always, the study and report is full of valuable and interesting data and perspective for privacy, information security,  legal and financial officers. It is a “must read” for anyone in a relevant role at an organization that is entrusted with PII and PHI, especially the CISOs who are most frequently the organizational members responsible for the handling of data breach incidents.

This week, the Connecticut Attorney General, Richard Blumenthal, sued Health Net of Connecticut for a data breach and their subsequent handling of the incident. As he notes, this lawsuit is historic, in that it is the very first enforcement action under HIPAA since the law was extended and enhanced with the HITECH (Healthcare Information Technology for Economic and Clinical Health) Act.

“Sadly, this lawsuit is historic — involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said. “Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months — most likely by thieves — before Health Net notified appropriate authorities and consumers. These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft. The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers. Failing to protect patient privacy blatantly violates federal law and Health Net’s public trust. We are seeking a preliminary order to protect patients and consumers, and will fight for civil penalties.”

It is likely this while this is a first, that it is the beginning of a new era for healthcare organizations and the expectation that they will take the privacy obligations of their patients seriously.  While unfortunate, this situation illustrates that some healthcare organizations require stronger motivation to both protect patient information as well as to follow good sense and legal requirements to promptly notify individuals if there has been a breach of their information that may put them at risk.

As this comic strip illustrates, we can be our own worst enemy when it comes to exposing ourselves to risks of identity theft and crime. Increasingly, scammers will provide you with significant valid information such as your name, credit card number and issuing bank in order to gain your trust and solicit additional information such as the 3 digit card security code (CSC) with which they can more easily perpetrate various types of financial fraud.

Thanks to Healthcare Professionals Live for highlighting this article and the important questions it highlights.

…I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR… (continue reading)

Just in…Santa retains ID Experts to provide breach remediation assistance.

HIMSS Analytics this past week released a study titled “Evaluating HITECH’s Impact on Healthcare Privacy and Security” that looks at healthcare providers and their business associates, relative to their awareness of the HITECH Act’s data breach provisions, as well as their experience with data breach incidents and concerns about preparedness and compliance with HITECH Act provisions.

This study, co-sponsored by ID Experts, the leader in identity breach protection, exposes some significant concerns.  It concludes that healthcare business associates, those organizations that provide services such as billing, credit bureaus, benefits management, legal services, claims processing, insurance brokers, data processing firms, pharmacy chains, accounting firms, temporary office personnel, and offshore transcription, are “unprepared for data breach”.

Further it notes that  “68 Percent of Provider Respondents Indicated that the HITECH Act’s Expanded Breach Notification Requirements will Result in More Discovery and Reporting of Incidents”.

This implies that healthcare organization are experiencing data breach incidents that in the past have either gone unrecognized or unreported. And that the new law is likely to “expose” more incidents because of the compliance requirements and the potentially large penalties for non-compliance.It also notes that a lack of preparedness and concern on the part of healthcare providers’ business associates creates a very significant risk to the privacy of their patients.

September 23, 2009 marked a major milestone for patient rights.  That is when the new Health Information Technology for Economic and Clinical Health (HITECH) Act took effect, requiring healthcare organizations to take more responsibility for protecting patient records and health information.

The HITECH Act seeks to streamline healthcare and reduce costs through the use of health information technology, including the adoption of electronic health records.  To ensure technology and security go hand-in-hand, the HITECH Act also includes strict new rules for notification in the case of a data breach incident where protected health information (PHI) is improperly exposed.

Healthcare organizations and their business partners are now required to notify individuals affected by a data breach and the federal government, who will post the information publicly.  The HITECH Act also stiffens penalties for non-compliance—up to $1.5 million.

It is too soon to see the full impact of the HITECH Act.  Certainly, government agencies are fine-tuning—and debating—the details.  But whatever happens in Washington, healthcare organizations would be smart to ask:

-          Will the federal and state governments impose even stricter privacy initiatives over the next six months as a result?

-          Will the move toward electronic health records increase healthcare breaches?

-          Regulatory penalties aside, what are the consequences of a data breach, such as loss of credibility for my organization, and medical and financial risks to people whose data was lost?

Tighter Privacy Laws. More Data Breaches.

These new regulations come at a time when healthcare breaches are on the rise; according to the 2009 ITRC Breach Stats Report healthcare breaches account for over 66 percent of all records breached this year (up from 20 percent in 2008).  In fact, some of the largest names in healthcare suffered data breaches.  In one incident, an employee at a high-profile medical center allegedly stole the personal information of 1,000 patients with the intent to defraud insurance companies.  Another case involved the theft of a laptop that may have contained PHI such as medical record numbers, names, and Social Security numbers.  And at a New York City hospital, an admissions employee was suspected of selling 2,000 patients’ data as part of an identity theft scheme and illegally accessing nearly 50,000 records.

Data Breaches Don’t Have to Spell Disaster.

With these new regulations in place, healthcare organizations are scrambling to understand the requirements and how to adapt and comply.  Unfortunately, we have learned firsthand through managing hundreds of data breaches that few organizations actually have breach response plans in place, despite the laws.

For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to data breach preparedness, as one customer did:

Thieves broke into a prominent healthcare facility and took, among other items, a desktop computer containing patients’ personal information.  Approximately 4,000 medical records were at risk.

The breach team at ID Experts provided a risk assessment for the hospital, communication with the affected population, and protection and recovery services for those affected.  In the end, ID Experts handled more than 1,500 calls; only a handful of callers required assistance directly from the hospital.  We delivered notifications to more than 5,000 people and provided membership in our protection and recovery services program to more than 1,200 people.

An excellent tool for establishing procedures in advance of a data breach is the incident response plan.  ID Experts offers services that provide guidelines for establishing an incident response team and outlines responsibilities and actions.  The plan contains instructions, worksheets and materials that can be used to streamline the response process.

The new HITECH Act requirements will likely affect every aspect of your operations: business and healthcare processes; IT data security, retention, and monitoring; contracts and business relationships.  With increasing risks, having a response plan in place will benefit your patients, your employees and your business.

Because data breaches have become such commonplace incidents, there is concern that people have become desensitized to the potential harm they face when receiving a notification letter from an organization that they’ve trusted with highly personal information, that this information has been lost or misappropriated.

A recently published report from Javelin Strategies should be a wake up call to those people.

“The Javelin report, Data Breach Notifications: Victims Face Four Times Higher Risk of Fraud, is based on multiple years of data and includes updates on 2009 data breaches, implications of changes to the legislative landscape and the technical means by which data breaches occur.”

This report should also be heeded by those banks, healthcare organizations, government agencies, insurance companies and others that we entrust with our social security and checking account numbers, birthdates and mothers’ maiden names,  and in some cases our personal health information. There is now proof that data breach incidents put the affected individuals in harms way. The responsibility for doing everything possible to help these people address this harm — from identifying identity fraud to cleaning up the fraud — should fall squarely on the laps of these organizations.

There appears to be some level of controversy that has been stirred up in a less followed area of the healthcare debate than single payer, that associated with the privacy of health information. The Department of Health and Human Services just released its rules for healthcare organizations to follow the data breach notification provisions of the HITECH Act.

In the rules, they have established a “harm threshold” which is self-assessed by the healthcare organization, and directed that in the case of a data breach incident, that notification of the individuals, the public and their agency ONLY needs to occur if they have determined that their is significant risk of  financial, reputational or other harm to those affected by the data loss.

This past week, the House Committee on Energy and Commerce voiced concern over the addition of this provision. They indicated that it was not the intent of the legislation to provide for notification in the case of a data breach incident only in cases where harm can be proved, but rather for all data breach incidents. Presumably to act as a deterrent to organizations with lax practices, as well as to ensure that individuals can practice due care, even in cases where there may be little chance of real harm.

Network World reported in their article titled “House members seek stronger health care data breach notifications, ‘Harm threshold’ runs counter to Congress’ intent” that:

“In a letter dated Oct. 1, members of the House committee asked HHS Secretary Kathleen Sebelius to revise or repeal the new provision at the ’soonest appropriate opportunity’. The letter, signed by the chairman of the committee, Rep. Henry Waxman (D-Calif.) and others, noted that the new harm threshold provision runs counter to Congress’ intent in passing the breach notification bill. The bill’s statutory language does not imply a harm standard, Waxman wrote. In fact, in drafting the bill, Congress had explicitly rejected the idea of including such a provision because of the ‘breadth of discretion’ it would have given a breached entity, the letter said.”

It is terrific to see Congress trying to do the right thing, when it comes to the privacy of protected health information (PHI). I’m hopeful that HHS will see the wisdom in revising their rules for the benefit of all of us that rely on the American healthcare system.

In recent months, with the continued growth in highly public data breach incidents, we began looking at how organizations assess their level of exposure to data breach risk. I suspect if you ask the CEO of most public companies or public sector organizations about their level of risk, that they would tell you that they are “highly secure” and maintain excellent practices to prevent the misappropriation of personal information of their customers, patients, employees, students and other affiliates.

For many firms, they have to meet security and compliance requirements that are necessities in their industry, such as PCI for those that handle credit card information and HIPAA for healthcare organizations. Historically I think that they felt such rigorous compliance requirements could ensure their safety from the risks of data breach.

However, the recent past demonstrates that no organization is really immune to a potential data breach incident. The very visible Heartland Payment Systems breach affected many millions of Americans who’s credit cards were processed by Heartland, an organization that had to adhere to very strict security standards set for the financial industry and their payment processors.  This seeming inconsistency between a perception of being immune from data breach risks with the rapid growth in data breach incidents, led us to think about whether organizations can “quantify” their level of data breach risk.

We were somewhat surprised that there isn’t much available to organizations to help them in measuring and scoring their level of data breach risk. Given this situation, we began to look at how we could model and quantify risks specific to the breach of personally identifiable information (PII) and personal health information (PHI), since it is the unauthorized release of this information that is regulated by state and now federal laws.

To this end, we created what we call the Breach Healthcheck(tm),  tool that uses a proprietary model to assists organizations in quantifying two dimensions of measurement into a Breach Protection Index(tm) — measuring both an organizations level of data breach exposure as well as their level of data breach protection.  Breach Healthcheck then maps this index onto a two dimensional risk map that allows organizations to get a visual indicator as to their level of data breach risk.

Our sense is that organizations that are trusted to hold PII and PHI will find it useful to be able to measure their level of data breach risk, and to understand the primary areas where their practices may lead to unanticipated levels of risk. To get complimentary access to the Breach Healthcheck tool, qualified organizations can contact ID Experts at www.idexpertscorp.com or 866-726-4271.