I recently got directed to this article called First-Hand Experience with a Patient Data Security Breach. It is a really good breakdown of the elements of what happens during a breach and the subsequent events. It starts with the theft of a laptop from an employee’s car.
After the theft was reported, they looked at a recent backup of the machine and learned that the laptop contained data files about healthcare patients. Well, not directly. It contained logs of problems with health information systems, and within those logs were the healthcare records. Oops. While the laptop did not belong to a healthcare provider directly, it still managed to have files that were important and potentially could result in a breach according to HIPAA regulations, as well as Massachusetts state data breach laws.
One of the items that is most telling from the article is the following:
Add to that the fact that the rules to implement the HITECH modifications are still just proposals and not final regulations yet, and what we were left with was a grab-bag of statutory and legal piece-parts that we ourselves had to assemble without any instructions or diagrams.
The article has a long section that describes what they and their lawyers determined was necessary and prudent for them to do, followed by all of the analysis they did to determine exactly whose records were affected and warranted breach notification. From the original 14,475 records in the lost laptop, they determined that only 1000 records (7%) would have a “significant risk of harm if their data was actually accessed”.
The most telling breakdown of the entire article were the hard and soft costs of the breach. Losing a single unencrypted laptop with 14,475 records on it resulted in $288,808.00 of direct costs. The overwhelming majority of this was the money spent on legal fees ($150K) and 600 hours of staff time to do the analysis and response ($125K). Their insurance covered the majority of the non-staff-time costs, which resulted in a $5,000.00/year increase in their insurance premiums as well.
The article concludes with a breakdown of what they did in the aftermath, and a list of lessons learned from the incident. A final quote though to wrap up the article:
In my opinion, the penalties we paid for an honest mistake with very low risk (a random theft of a password-protected laptop containing a patchwork of demographic data) seem disproportionately high ($300,000 to us; national public exposure to the practice.)
It is important to contrast this with the failure to report this breach, which could have resulted in fines under HIPAA/HITECH. This breach seemed to fit the case of “the violation was due to reasonable cause and not to willful neglect” which caps the fines at $1,000 per record, or $100,000 per calendar year. So for about 1/3 of what they actually spent, they might have considered just accepting the HITECH fines.