A Dumpster Full of Treasure

Hackers didn’t do it.  Cyber activists didn’t do it.  There was no identity theft ring to hold responsible.  What happened was the wrong boxes were picked up and thrown in a dumpster.  So, 94,000 letters had to be mailed to patients to inform them that their names, medical record numbers, payment methods, lab results, and in some cases, Social Security numbers or driver’s license numbers were unwittingly disclosed.  But at least there was no breach of the database, no penetration of the firewall, so that’s good news, right?

Wrong.  Technology did not fail in this case, people did.  And there are two reasons why this is bad news.

First, penalties.  There are a lot of requirements in HIPAA, but they boil down to the Security Rule and the Privacy Rule.  Now, the Security Rule deals exclusively with electronic health records, so it doesn’t apply here.  The other half of HIPAA, the Privacy Rule, which can be summarized as, “Don’t share personal health information unless there’s a need to know,” definitely applies.  Here there was failure.  As of this writing, there has been no announcement of any penalties coming from the Office of Civil Rights (the Health and Human Services enforcement division), but we know that penalties can be as high as $1.5 million total for a given year.  That’s the cap, which if the OCR decides penalties are in order, could be a real savings for the hospital, because the minimum penalty is $100 per record per incident, or around $9,400,000!  No doubt that will hurt financially, and that is bad not only for the hospital, but the community they serve.

Second, the public trust is damaged.  It’s hard to quantify what the public trust is worth.  There are some studies on consumer trust in other markets, but when it comes to the trust between patient and doctor, that may be worlds apart.  Lab results, even ordering certain types of lab work, offers a raw glimpse into the most confidential of health information: HIV status, drug use, pregnancy, genetic conditions, etc.  Patients may think, “better go to another hospital in town if I want it to remain between me and my doctor.”  This really hurts the entire medical field as the sterling trustworthiness of doctors and the staff of the hospitals is tarnished.

In addition to what this hospital is doing, what lessons can the rest of us learn from this incident?  As I said at the beginning, this was human error, not a technical failing   Here are some best practices to consider, given what we know, to establish a sound information security management system:

  • Assign an owner, someone who is personally responsible for the records – nothing tends to focus someone’s attention and make them truly advocate for the protection of patient information as knowing their job is on the line.
  • Label all sensitive information – whether a cover sheet, a folder, or brightly colored labels on banker’s boxes, anything confidential should be recognizable from the outside.
  • Establish a retention policy – the longer information is retained, on paper or electronically, the more likely something may happen with it; a retention policy should be attuned to the least time possible before records are destroyed.
  • Physically secure records locations – data centers or records closets, only those who are prescreened and approved as having a business requirement should have access.
  • Shred all paper records on-site – the need to remove paper to shred it at a distant location has long passed, so the option to make sure a staff member witnesses the shredding and collects the receipt is nearly universal.
  • When projects are planned, make sure information security is a part of the plan – as the axiom goes, failing to plan is planning to fail. All projects should include information security risks assessment in the planning and execution phases, along with consideration of cost, safety, etc.  This is the new norm in project management.

Anyone who handles personal health information should take this opportunity to assess their own controls and make improvements where needed.


The sky is falling! The sky is falling!

The sky is not falling – yet.  But if a recent development in Massachusetts is a harbinger of things to come, anyone involved in risk, compliance, or information security may need to prepare for some major overhauls to our risk assessments.

According to an article in National Law Review, a recent case in Massachusetts Superior Court is concerning.  The plaintiff brought a lawsuit against Boston Medical Center following the accidental exposure of patient data through a vendor web portal.  The author specifically notes that although, “Plaintiffs do not allege that any unauthorized persons actually viewed, accessed or misused their private information.”  the case was allowed to move forward based on the “real and immediate risk” of damages that may result from the disclosure of information.

So far, this is one case in Massachusetts, and in most jurisdictions courts will only allow a lawsuit if there is evidence of actual damages (identity theft, for example).  But if other courts begin to look at this case as precedent, the costs to remediate any breach or accidental disclosure could become significantly more than any institution can afford.  In addition, the insurance industry will likely respond with more stringent requirements for cyber liability insurance and premiums will likewise go up.  All of this leads back to the reliance on sound risk management beginning with the initial assessment.

It will also require hospital vendors (those business associates referred to in the HITECH Act of 2009) to redouble their efforts to identify and remediate risks before they too are front page news.