Remorse and repercussions

Your invited to share as appropriate.

So the story goes something like this…

Two thieves broke into an office and steal a laptop on May 25th from Self Regional Healthcare. The theft was caught on video and reported to the police. The laptop was NOT encrypted and contained patients’ names, Social Security Numbers, driver’s license numbers, treating physician names, insurance policy numbers, patient account numbers, service dates, diagnosis/procedure information, payment card information, financial account information, and possibly their addresses.

The thieves stated that before they were apprehended on June 10th, they felt badly about what they had done and tried to destroy the laptop with a hammer before throwing it into a South Carolina lake. As the story goes, the laptop drifted in the lake until it eventually sank.

Attempts by the policy to recover the laptop from the lake were unsuccessful resulting in a reportable Breach** under HIPAA. (A Breach under new law basically occurs when you cannot “prove” that it didn’t when unsecured data is exposed or possibly exposed. The Harm metric to establish whether a Breach has occurred no longer applies.) As a result, Health and Human Services Office of Civil Rights, state regulators and the potentially impacted 39,000 individuals were notified. Free credit monitoring was offered to all 39,000 potentially impacted individuals.

At an average cost of $200 per record plus credit monitoring costs of $84 per year, the projected cost of this Breach is $11,076,000.

Editorial comment: It appears that $100 for encryption software would have been money well spent. A thorough Security Risk Analysis and HIPAA audit would have found this and other disproportionate exposures.

Want an analysis and/or HIPAA audit? Have a HIPAA question? Feel free to call or write.

** The term “Breach” is generally defined in HIPAA as the unauthorized acquisition, access, impermissible use or disclosure of unsecured PHI where an impermissible use or disclosure of PHI is presumed to be a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised.