To Date: 1,857 Entries on the Wall of Shame
What wall of shame? The U.S. Department of Health and Human Services actually keeps a record, as required by law, of reported breaches affecting 500 or more individuals’ personal health information, and, so far, there are more than 1,800 entities that fall into that category. Further, many of the reported breaches cover thousands of patients. A quick extrapolation reveals approximately 2.5 billion patients affected by millions of breaches of supposedly secure data. The last 15 reported “shamers” affected more than 210,000 people—and that is just from the first seven weeks of this year. Yes, that is the figure, more than 200,000 people affected by data breaches in a month and a half. And those are just breaches that A. are reported to HHS; and B. affect more than 500 people. So, any breach affecting 499 patients doesn’t even make the list.
There are 50 Tennessee entities on the “wall,” with the most recent being Memphis VA Medical Center, which was added March 1, 2017. Most breaches were noted to be from “theft” or “unauthorized access/disclosure.” The theft cases usually involved the theft of a laptop that contained unsecured protected health information and unsecured means that the data has not been rendered “unusable, unreadable, or indecipherable.” Unauthorized access or disclosure usually occurs when an individual, perhaps a workforce member, accesses information that is not necessary for treatment or for another authorized business purpose, and when someone gains access to protected information without a legitimate reason for doing so, it is then considered a breach, whether they actually use the data or not.
Certainly, there are no guarantees, although the government appears to think security can be guaranteed (and the statistics show governmental entities are probably breached the most), but an organized, methodical process should dramatically reduce the risk of exposure and avoid future data leaks. I am certain many of those who found themselves on the Wall of Shame thought they were compliant or, at least, thought they wouldn’t suffer a breach. I am equally certain no one on the Wall of Shame intended to be represented there, but the only way to avoid a trip to the Wall is to take an honest look at compliance.
Many services are available to assist with compliance, and several of them will accommodate a relatively narrow budget. How much might one of the shamers be willing to pay to avoid the wall? What would they say about non-compliance and whether a breach is possible? I suspect they would recommend an immediate review of systems and a plan of action to avoid the type of breach that can result in the public disclosure of, dare to think of it, failure. The failure to adequately and properly secure data as entrusted. No one wants prominence on the Wall of Shame. No one wants to cause harm, irritation or worry to their clients, customers or patients. So get some help and develop a program to get compliant. Don’t be entry 1,858.
Julie-Karel Elkin is an experienced litigator who has worked with some of the nation’s largest insurance companies, independent businesses and personal claims. Focusing in negligence and regulatory claims, torts, contract disputes, mediation and administrative processes, she is uniquely qualified to address all aspects of health data needs. She is the head of Spicer Rudstrom’s Health Data practice in the firm’s Nashville office.