If I’ve learned anything from the oil spills by Exxon Valdez and BP, it’s that cleaning up a mess is much more costly than preventing it from happening altogether. In March 13, BlueCross BlueShield of Tennessee (BCBST) was slapped with a $1.5 million fine from the US Department of Health and Human Services (HHS) for the theft of 57 hard drives from a data store in Chattanooga in 2009. The breach of the Health Insurance Portability and Accountability Act (HIPAA) has yet to have led to the misuse of protected health information (PHI) by the thieves. However, BCBST has reported its own losses as a result of the mess.
Since the breach, BCBST has spent a whopping $17 million in cleanup measures. These include investigation, notification of the breach to affected parties, and offering protection services to remediate the potential abuse of stolen data. As part of its settlement with HHS, BCBST must abide by a 450-day corrective action plan, which includes monitoring the training and enforcement of policies and procedures created and reported to HHS concerning how to safeguard patient PHI.
Among these activities was the decision to encrypt all data in storage, which BCBST deems a “voluntary effort which goes above and beyond current industry standards.” It would seem that industry standards are deplorably low if this offending organization is claiming this move as exceptional. I would like to know what industry in particular the organization has in mind. Last time I check, HIPAA (1996) and Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 looked to encryption as the best means of ensuring the safety of digital patient information.
Given that PHI often contains SSNs (information that can affect the health of your credit score and wallet), this information needs industry-leading standards at all times. Encryption for health data needs to come standard regardless of what industry standards folks have in mind because it’s too little too late for those affected by the breach, totaling 1 million members. We are coming to terms with the costs consumers incur because of these breaches, but shouldn’t we really be wondering how much organizations could save us and the healthcare industry as a whole by being proactive and doing a much more than the little that’s expected.
• HIPAA violations need proactive solutions
• Health data breaches and responses
• Data migration can leave your information vulnerable
• Possible health data breach at Sheppard Air Force Base
• Oregon State Hospital security breach