Stolen patient records call for better communication

It's very disconcerting that TRICARE contractor Science Applications International Corporation (SAIC) lost unencrypted backup tapes from an electronic health care record containing the personally identifiable and protected health information impacting almost 5 million military clinic and hospital patients. The tapes, which included 19 years worth of patient data, were stolen from the car of an SAIC employee.

Even more disconcerting: Not only was this kind of security breach--theft of patient information from a contractor's car--not an isolated incident, but with a little communication, it likely was easily avoidable.

In August, Saint Barnabas Health Care System in New Jersey and Cook County Health and Hospitals System in Chicago both reported that they were affected by a breach involving the theft of an external hard drive from the car of an employee of MedAssets, a business associate of the two hospital systems that provided revenue management and supply chain services. The breach involved the records of 82,000 patients. The hard drive was neither password protected nor encrypted. 

The SAIC employee in the TRICARE breach valued his stolen car stereo system at $300; meanwhile, the stolen Tricare backup tapes were valued only at $100.

According to a recent Ponemon Institute report, however, it now costs the victim of a security breach $214 per compromised record and an average of $7.2 million per data breach event. A large part of the problem is that some business associates, although relatively familiar with HIPAA's privacy rule, still are not as well versed in HIPAA's security rule and the security breach notification requirements.

"There's a lack of professionalism," Tony Ryzinski, senior vice president of product management and marketing for Sage Healthcare tells FierceEMR. "People are treating the media without the care they should."

Patient data is only as protected as the weakest link, adds Christine Kelly, president of Baltimore-based CMK Consulting. Kelly, a business associate herself, admits to being "neurotic" about protecting her clients' patient data.

"This is my worst nightmare," she says.

It may sound simple, but healthcare organizations need to talk to their contractors who handle patient data. Ensure that they're taking the proper precautions regarding the data, including encryption and employee training.

"Make sure employees don't leave [patient information] unattended," Ryzinski says. "It's like leaving a baby in a car. This is their baby." - Marla