The cost of a significant data breach of protected health information (PHI) has been a popular topic in the news recently. The new ANSI publication“The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security” debuted with much fanfare in D.C. earlier this month. White House Cybersecurity Czar Howard Schultz kicked off a March 5th press conference where the release of the report was announced. His participation helped elevate the issue to a national audience.
The following day, many of the companies who helped ANSI produce the study revved up their own PR engines. Their warning: While the widespread adoption of electronic health records will ultimately translate into greater efficiencies and better patient care, it also creates the possibility for massive data breaches. The risks to healthcare organizations go far beyond penalties imposed by HHS who must also consider the costs of restitution, legal fees, media relations, brand damage, and exposure to class-action lawsuits.
It was against this backdrop on March 13th that the Department of Health and Human Services (HHS) announced a data breach resolution agreement with BlueCross BlueShield Tennessee (BCBST), including a settlement payment of $1.5 million for potential violations of the HIPAA Privacy and Security rule. The breach was reported to HHS in 2009 when 57 unencrypted hard drives were stolen from a “data storage closet” in a customer call center facility that BCBST leased in Chattanooga, Tennessee. Over 1 million health records were affected. The personal data compromised included names, SS#, DOB, diagnosis codes and health plan ID numbers in the form of 1,000,000 audio and 300,000 video recordings of customer service calls.
At first glance, the $1.5 million dollar fine looked very light for a breach affecting 1 million patients. Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation, commented on ModernHealthcare.com that the amount of the fine was “practically nothing,” particularly for such a large insurer. Additional reports confirmed that since the incident, BCBST has spent over $17 million dollars in investigation, notification and protection efforts. This was no doubt a factor that HHS considered when settling the case. In fact, the ongoing HHS/OCR investigation and persistent “overhang” of pending enforcement action was likely, in and of itself, the justification of making these improvements. Under classic behavior modification theory, the threat of punishment can often be more effective that the punishment itself (If you have kids, you know what I mean).
Yet, the total of $18.5 million for 1 million record breach, or approximately $18.50 per record, pales in comparison to the estimates used in “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security.” Industry analysts consistently put the costs of PHI or PII data breach in the hundreds of dollars per record. A common restitution offer of late has been credit monitoring services for each individual for 2-3 years to protect against medical ID theft, generally at a cost around $29 per individual per year. Recent class action lawsuits filed following breaches of PHI data breach have asked for damages of $1,000 per patient.
So did BCBST get off easy? Well, they certainly did a good job of damage control. But in today’s environment, I doubt anyone could follow suit. BCBST very likely benefitted from HHS/OCR not being in position to immediately enforce the Breach Rule given that the HITECH Act itself has only just been enacted a few months prior to the breach. Now, some 2½ years later, they’ve had a chance to implement a stronger IT security program, including the encryption of its PHI data-at-rest, a step we at Redspin strongly advocate. Also, no cases of ID theft or fraud have come to light as a result of their breach.
While BCBST admitted to no liability as a result of the theft of the data and hard drives, they did agree to a 450-day corrective action plan (CAP) under which there policies, procedures, security controls and operations will be under enhanced scrutiny. As I told Information Week Healthcare:
“The monetary penalty may grab headlines but it’s the corrective action plan that provides the most insight. Effective IT security and compliance is only possible through an ongoing process. BCBST has now agreed to periodically review its policies and procedures, conduct regular HIPAA training for all employees, and monitor adherence to its own corrective action plan.”
These provisions will add to BCBST’s operational overhead for sure, but in reality, the CAP just reinforces prudent and responsible information security management, something all healthcare organizations need to have in place now. The risks (and potential costs) of data breach will accelerate geometrically as the adoption, implementation, and utilization of electronic health records continues to increase.