Posted on 19 Dec 2011
One afternoon last spring, Micky Tripathi received a panicked call from an employee. Someone had broken into his car and stolen his briefcase and company laptop along with it. So began a nightmare that cost Mr. Tripathi’s small nonprofit health consultancy nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Not to mention 600 hours dealing with the fallout and the intangible cost of repairing the reputational damage that followed.
Mr. Tripathi’s nonprofit, the Massachusetts eHealth Collaborative in Waltham, Mass., works with doctors and hospitals to help digitize their patient records. His employee’s stolen laptop contained unencrypted records for some 13,687 patients — each record containing some combination of a patient’s name, Social Security number, birth date, contact information and insurance information — an identity theft gold mine.
His experience was hardly uncommon. As part of the 2009 stimulus bill, the federal government provides incentive payments to doctors and hospitals to adopt electronic health records. Some 57 percent of office-based physicians now use electronic health records, a 12 percent jump from last year, according to the Centers for Disease Control.
An unintended consequence is that as patient records have been digitized, health data breaches have surged. The number of reported breaches is up 32 percent this year from last year, according to the Ponemon Institute, a security research group. Those breaches cost the industry an estimated $6.5 billion last year. In almost half the cases, a lost or stolen phone or personal computer was responsible.
Mr. Tripathi describes the days after the theft as a “vortex.” Fresh in his mind was a similar, albeit smaller, breach at Massachusetts General Hospital just months earlier in which a hospital employee left detailed clinical records for 192 patients on a subway. The breach had cost the hospital $1 million in settlement fees.
“We’re a nonprofit with 35 people on staff,” says Mr. Tripathi. “A million-dollar fine would have decimated us.”
Mr. Tripathi says his nonprofit had just enacted a policy requiring that all patient files be encrypted, but had yet to decide on an encryption provider. All that stood between a determined computer thief and his patient data was a few passwords.
Mr. Tripathi went to work assembling a crisis team of lawyers and customers and a chief security officer. They hired a private investigator to scour local pawnshops and Craigslist for the stolen laptop. The biggest headache, he says, was deciphering how much about the breach his nonprofit needed to disclose.
Health organizations are required by federal law to report data breaches that affect more than 500 people to the Department of Health and Human Services. The department’s Office of Civil Rights publishes the equivalent of a data breach “Wall of Shame” on its Web site — which today includes 380 breaches affecting more than 18 million people.
Mr. Tripathi said he quickly discovered just how many ways there were to count to 500. The law requires disclosure only in cases that “pose a significant risk of financial, reputational or other harm to the individual affected.” His team spent hours poring over a backup of the stolen laptop files.
Of the nearly 14,000 patient records on the stolen laptop, most records did not warrant disclosure. In 2,777 cases, for instance, a record listed only a patient’s name.
Complicating matters were liability rules. In the eyes of the law, Mr. Tripathi’s nonprofit is a contractor that acts on behalf of health providers. The legal burden of protecting patient data actually falls on his clients: the physicians and hospitals who entrusted his nonprofit with their files.
“The laws create a perverse outcome,” he says. “It was our fault, but from a federal perspective, it wasn’t our breach.”
Mr. Tripathi narrowed down the group of patients whose data put them at serious risk for identity theft to 998 people across seven physician practices. Only one practice broke the 500-patient threshold requiring disclosure on the Department of Health and Human Services Web site.
His office got to work notifying the affected patients of the data breach. They offered free credit monitoring — though less than 10 percent took them up on the option — spending a total of $6,000.
In the aftermath, Mr. Tripathi says his company destroyed all patient data on mobile devices and temporarily prohibited employees from removing patient data from clients’ offices. The company now mandates that all data be encrypted, and employees are required to tell health providers what data they will need to access and how they plan to use it.
He never found the stolen laptop, and the incident, all told, cost his nonprofit $288,000.
In many ways, Massachusetts eHealth Collaborative got off easy. In October, a desktop computer containing unencrypted records on more than four million patients was stolen from Sutter Health, a nonprofit health system based in Sacramento. A rock was thrown through a window to gain access to the computer. The theft is now the subject of two class-action suits, each of which seeks $1,000 for each patient record breached.
“Breaches are going to be one of the big challenges as more physicians and hospitals adopt electronic health records,” Mr. Tripathi says. “We’re entering a brave new world.”