Two healthcare organizations are taking a public beating over info security breaches that exposed patient data--and one of them may be on the hook for huge legal penalties. The Akron Children's Hospital publicly admitted last week that an intruder had gained access to patient and charitable donor information. Around Labor Day, the hospital learned that German intruders had accessed information concerning about 200,000 patients. The data included Social Security numbers, bank account information and donor routing numbers. Last week, the hospital went public with the incident. In a statement on its website addressing the issue, the hospital said that it wasn't aware of any illegal use of the information. Repairing the breach could be costly; If one industry industry is correct, it could cost Children's $200 per record breached to lock down its systems again. And there's no guarantee that it couldn't happen again, with a world full of attackers trying to outsmart honest admins.
Still, if Children's is fortunate, it will avoid the fate of the Sisters of Saint Francis Health Services, which is being sued for an eye-popping $1.3 billion (or $5,000 per claimant) over its recent data breach. SSF, which runs hospitals in Illinois and Indiana, lost track of 260,000 records when a contractor copied patient information onto CDs, placed the CDs in a computer bag, then inadvertently returned the bag to a store with the CDs still inside. The suit names SSF, the contractor and the contractor's employer, Perot Systems subsidiary Advanced Receivables Management. The attorneys involved are hoping to get the suit certified as a class action. In the mean time, they want to force SSF to pay credit monitoring fees for the patients and employees involved, which apparently, they haven't yet volunteered to do. (If they haven't, shame on them.)
For background on the breaches:
- read this article from WKNY.com on the Children's situation
- read the Indianapolis Star piece on the St. Francis suit