Many times it is the after-incident response by an individual or company that dictates how the public reacts to the issue.
A few notable incidents include:
- Toyota and the “run away” accelerator issue
- The Sony Playstation data breach
- LastPass possible breach
The first two above where handled in what most might call the “typical big company way”
Ignore/cover up the issue while looking into it.
Hope nobody figures it out.
Realize, too late, that everyone knows, and now you have another issue to respond to.
LastPass handled their issue in a solid manner.
- LastPass is a password management service – all users passwords are store in the “cloud” encrypted.
- LastPass saw some “anomalies” in their logs.
- They didn’t like what they saw, but they didn’t point to an actual breach
- LastPass quickly notified all users of their concern and recommended changing the primary password.
Every time there is an incident, it is the person/business who is straight forward with everyone who wins.
Consumer Reports wrote an article called Five things companies must do to protect consumer data.
It is a good article, and can easily be altered to fit a medical office. In fact, 4 of the 5 steps are already part of our HIPAA Breach Checklist that is included with our HIPAA Contingency Plan package.
What are those 4 items?
- Promptly notify patients of data breaches posing identity theft or fraud risks…
- Disclose specifics on what type of personal data has been exposed in a breach…
- Offer victims two years’ worth of free credit monitoring services…
- Encrypt sensitive data using up-to-date industry standards.
#5 from Consumer Reports is Treat patient data like it were the physicians.
We make the assumption that this is the expectation from the beginning, part of the reason for the HIPAA regulation.
Still, it is worth mentioning.
The reality is, don’t fool around with this stuff.
Understand there are rules to follow, and your best bet to survival is to understand and follow these rules.