Recent Data Breaches - Important Lessons Learned

11-03-2011

Adam Kehler, PA REACH, HIT Privacy & Security Specialist

In the interest of staying current on trends in data breaches, I would like to call attention to three recent incidents of breaches of protected health information (PHI) that have appeared in the news.

The first case was from Nemours Foundation in Wilmington, Delaware.  When performing a remodeling project, backup tapes from a legacy system were lost.  Because it cannot be determined who had gained access to the information, and the data was not encrypted, this was considered a breach of all patient records contained on those tapes. (http://www.delawareonline.com/article/20111013/BUSINESS13/110130347/Nemours-patient-data-tapes-missing?odyssey=tab|topnews|text|Home)
 
The second case, from Adult & Pediatric Dermatology in New Hampshire, occurred when a flash drive was stolen from a locked car.  The drive contained images of patients, reports, and letters.  Again, the data was not encrypted and therefore this was considered a breach of all patients whose information was on that drive. (http://www.metrowestdailynews.com/editorspick_mobile/x1092315665/Thousands-of-medical-records-stolen-in-car-break#ixzz1alsxI7Mr)
 
Finally, Tricare Management Activity, a health insurance carrier for the Defense Department, had a breach affecting 4.9 million patients.  This occurred when an unencrypted backup tape was stolen from the car of a company contracted to store the backup tapes.  The result of this breach is that they are defending a class-action lawsuit seeking $4.9 billion in damages. (http://www.modernhealthcare.com/article/20111014/NEWS/310149988/breach-spurs-lawsuit-seeking-4-9-billion#)
 
 
Some takeaways from these incidents are:
 
1.    Encryption – In each of these cases, there was one simple solution that could have prevented these breaches.  If the backup tapes or flash drives were encrypted using strong encryption (AES), these cases would not have been considered breaches because the data would be deemed unusable.  I recently visited a practice that had their EHR server stolen from their facility.  Many EHR installations do NOT have their databases encrypted even though all certified EHRs are required to have the ability to encrypt the database.  Furthermore, many practices assume their databases are encrypted because they are password-protected or they are using a SQL Server Database; this is simply not the case.  The encryption of the database and backups are incredibly important issues to bring up during the implementation of an EHR system. 
 
2.    Know where your data resides – The location of protecting Protected Health Information (PHI) extends well beyond the walls of the EHR system.  In the second article above, a flash drive containing medical images was stolen.  Other locations can include billing systems, practice management systems, Word and Excel files, fax images, images creating from imaging devices, text messages from an answering service, etc.  This reinforces the importance of doing comprehensive risk assessment.  The first step in the risk assessment process is to identify all of the locations where PHI resides and is transmitted.  Then for each of those locations, you determine potential risks to the information and ways to encrypt or otherwise protect the information.
 
$$$$ - The 3rd article illustrates the fact that there are real financial costs to not properly protecting PHI.  Costs can include fines from OCR, lawsuits, administrative costs for notifying all affected patients, and reputational harm.  The cost of encrypting PHI or otherwise putting strong controls around protecting PHI are generally much smaller than the cost of a breach.