In part 1 of my PHI breach story I mentioned that I’d keep an update running, specifically that I’d write an update “in a few days”.
Well, that didn’t happen.
Mainly because after I filled out my paperwork and send it in…nothing has happened.
I suppose this is a good thing.
But this article reminded me of the situation.
First a quick reminder of what happened:
“a Pentagon contractor left 25 computer tapes in the back seat of a Honda Civic in Texas”
From this, upward of 70,000 people had their personal data stolen.
Obviously the main thing we focus on here is patient health information (PHI), but the reality is thieves are not really interested in the medical condition of the people on these tapes, no…they are interested in the identity theft value of these names.
It is the fact that there is a black market for people’s personal information so identity theft can occur that is typically the greater threat.
There are now 3 lawsuits regarding this data breach.
The deeper the pockets the more lawyers you attract…and you know that lawyers view doctors as having deep pockets.
Let’s take this to the local level now.
If you (or a business associate) have a data breach what do you need to do? Section 13402 of the HITECH Act give the direction:
- Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information.
- must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.
- IF you have out of date contact information for more than 10 individuals you must provide details by:
- Posting the details of your breach on the home page of your website, or
- Provide the notice in major print or broadcast media where the affected individuals likely reside
This is just the beginning (we haven’t even gotten into posting your breach in the HHS site), but let’s take a look a the scrutiny, ridicule and potential lawsuits you now opened yourself up to.
Public Relations: there is no getting around the fact that a data breach is a public relations nightmare. It is one thing to be a big “faceless” company when a breach happens, but when it is your practice in your town…everybody will know and everybody will be talking about this.
Practice Value: I’m no expert in practice valuations, but I am confident that if you have a breach, the value of your practice will surely take a hit.
Lawsuits: once word gets out that you have had a data breach, I imagine lawyers will be getting in line to sue you for damages. So, piled upon the embarrassment is the cost of defending yourself in one, and potentially multiple lawsuits.