“Another medical bill?” I thought as I saw an envelope sitting on top of the mail pile with the logo of the health care system I use. “I know I already paid this….”
Irritated, I opened the envelope, envisioning the phone calls, canceled checks and other hoops I’d have to jump through to prove the bill had been paid. Well, was I in for a surprise. The letter inside had nothing to do with medical bills. No, it was to inform me that my personal information including my name, address, social security number, physician name, medical record number and health insurance information may have been compromised. This makes me part of the second largest HIPPA data breach to date.
On July 15, an administrative office at Illinois’ largest health care system, Advocate Health Care, was burglarized and four password protected computers were stolen. If that is not unfortunate enough, the four computers were unencrypted. A police investigation is underway and, on Aug. 23, the system began sending letters regarding the incident to patients – like me – whose data may have been compromised by the theft. There are about 4 million of us since the computers contain information going back to the 1990s. We’re being offered a free one-year membership to an identity protection service. On Sept. 6, two plaintiffs representing patients filed a class-action lawsuit against the health system.
This is not Advocate’s first experience with a data breach. In 2009, 812 patient’s records were compromised when an employee’s unencrypted laptop was stolen. They are also not alone in data breaches. Howard University, the Utah Department of Health and TRICARE have all experienced data breaches.
The concept of HIPPA violations has been drilled into clinicians heads for the past decade or so. Don’t give out information about a patient over the phone unless you have written permission. Don’t discuss patients or their care in public places. Don’t release medical records unless you have the proper paperwork to do so. Privacy is such a big concern that it sometimes impedes the other P in HIPPA—portability.
While clinicians have been indoctrinated to withhold information from those nosy neighbors or estranged siblings, it seems that physically securing the data when it is stored electronically is a challenge. Learning from others’ mistakes, or your own in the case of Advocate, seems to be slow-going.
Is it because health care is adopting EMR and Health IT at such a rapid pace that implementing and securing technology is overwhelming? Or is cyber-theft unavoidable in our technology-laden world? It’s not just health care companies that have experienced theft of clients’ personal information. Companies like Coca-Cola, NASDAQ and 7-11 have also fallen prey to hackers. Is it a given that there’s someone out there with the skills to outsmart or circumvent any security measure?
I’m not sure of the answers to those questions. I do know there needs to be a serious effort to learn from mistakes. For example, if you had a data breach because a computer was not encrypted, you should probably make data encryption a priority. There are resources out there to provide direction regarding health information privacy.
The Office of the National Coordinator for Health Information Technology has a Guide to Privacy and Security of Health Information that outlines ways to improve health data security. This includes five security components for risk management. These include:
- Physical safeguards like building alarm systems and locked offices.
- Administrative safeguards like staff training and review of user activities.
- Technical safeguards like virus checks and data encryption.
- Policies and procedures like record retention.
- Organization requirements like review of breach notification reviews and updates.
The Department of Health and Human Services (HHS) has the Security Rule Guidance Material webpage, CyberSecurity video, a 10-step plan for health information privacy and security and many other resources available.
Sometimes things that are unavoidable happen, but it’s better to try to stay a head of a game and keep your patients’ personal information safe. It’s very much like the safety measures you take at home. Someone can always break in but it’s going to more difficult for them to do it if you lock your doors and windows or have an alarm system.