Security and the tale of the data breach

New and upcoming state and federal regulations are already rewriting assumptions about data security in health care. This cautionary tale explains just how it’s happening.

“The onslaught of rapid-fire legislative changes and overlapping rules are causing healthcare organizations to carefully examine hiring, training, and breach-preparation tactics ”

The following tale is purely fictional - or is it? That really depends upon your mindset - certainly the names and places have been invented, but this scenario describes all-too-real events that, unfortunately, can happen in any healthcare facility. The onslaught of rapid-fire legislative changes and overlapping rules are causing healthcare organizations to carefully examine hiring, training, and breach-preparation tactics to ensure a privacy and security strategy that meets regulatory requirements AND better safeguards patient data.

The Event

On October 15, Jane Holt, the new privacy officer at a 300-bed medical facility learned from a staff member that a contracted nurse who had been taking home patient files had been copying them, and then replacing them when she was finished. Some 632 records, that included dates of birth and Social Security numbers, appeared to have been compromised. The patients whose information was breached resided in California, Florida and Ohio.

The hospital had misplaced a few files before, but nothing of this scale or sensitivity. Holt had never faced the need to respond with a full-fledged data breach notification to those patients who were victimized. What needed to happen first? Who should be involved going forward? Would the hospital attorney handle everything? Who would take the incoming phone calls? What about bad publicity - did the media need to know?

The Investigation

Both Holt and the hospital's attorney had a certain expertise in privacy and security regulations. They knew that a credible and undisputable investigation was paramount as a first step. The facility would need to be fully and defensibly prepared to answer the question:  How did this happen?

The hospital hired an outside risk consulting company to investigate the incident and determine the scope of the breach. Within a week's time the investigators uncovered that the contract nurse, Mollie Hartwell, though seemingly qualified, had a substance abuse problem and a bad credit history. Moreover, she had pled guilty to theft, felony possession of controlled substances and intent to sell after a 2006 placement at a hospital in Texas.

The agency that provided contracted staff to the hospital had run a standard background check on Hartwell. However, it was a bare minimum check - the agency did not require a credit check for employees who did not have fiduciary responsibilities, and because it was located in a state where pre-employment drug tests are not mandated, no drug screen was performed. The felony conviction was missed due to an incomplete criminal history check. Hartwell had married and changed her name after leaving rehab, and the agency searched her current name only. She provided no details of her job or conviction in Texas, and the agency only searched for criminal records in jurisdictions listed on the application. To complicate matters, the hospital did not bother to research the agency's specific background check methodologies to determine if they met the hospital's own standards.

The Response

Although both the privacy officer and the hospital's attorney were well-versed in privacy and security regulations, they were not familiar with the laws and mandates surrounding breach notification. How much of this detail were they required to reveal? Would that compromise the ongoing investigation? Which breach notification law held precedent: state or federal? Was it necessary to keep tracing data, trying to determine if Hartwell's criminal activity had led to identity theft for any of the patients whose data she had apparently copied?

The risk consulting firm, still involved in the investigation, recommended the facility engage the firm's incident management team to aid with legislative compliance, and to manage patient notification and support elements.

The Compliance team at the risk consulting company worked closely with Holt, and walked the hospitals' internal team through the specific breach notification requirements, both federal and state.

Because over 500 records were compromised, the hospital promptly notified HHS. The hospital was contracted with the Centers for Medicare and Medicaid Services (CMS); therefore, it was necessary to notify CMS of the incident.

The risk consulting company also informed Holt that notification did not end with federal law - it was necessary to follow state law, specifically those states in which the affected individuals resided. California law, for example, mandates that the CA Department of Public Health and the affected patients be notified within five (5) days after detection of the breach. In addition, the hospital was also expected to adhere to the 45-day notification timelines of Florida and Ohio. In deference to the ongoing investigation into Hartwell's criminal activities, the notification materials made only required reference to the data loss. Recognizing the likely concerns over how the patient information was acquired and exposed, the hospital provided patients with access to proactive, internet-scanning identity management tools. This gave the impacted audience an opportunity to take back a degree of control, enabling them to quickly detect unauthorized use of their confidential data.

Mandated by HITECH, the hospital was also required to notify the media. With the crisis media management expertise of the risk consulting company, the hospital was able to give a clear notification to the media to inform of the incident and detail the services being provided to the affected population.

Proactive Steps

After the investigation and breach response was complete, the hospital recognized that notification is just one face of responding to a breach - an organization must have policies and procedures in place to protect PII and safeguard against data breaches and incidents of identity theft. As such, and in accordance with federal and state statutes, the hospital implemented the following steps as part of its revised security plan:

• Contract requirements were revised to include more stringent security and screening for vendors. The hospital adopted a policy to screen vendor employees through the hospital's own background checking partner.
• Requirements for background checks specifically included a best-practice criminal records search that integrated, among other things, an accurate residence history trace, a search that includes alternate names encompassing all jurisdictions of residence in the previous seven years, a credit check and a drug test.
• The hospital completed a full-fledged risk assessment and security audit to determine gaps or lapses in privacy and security. With these results, it implemented new security policies and trained all employees on properly utilizing, storing, and maintaining sensitive personal information.