By Kelly A. Briganti, Editorial Director, G2 Intelligence
As an Oregon health care insurer just experienced, if your lab suffers an information security breach, even due to a lost laptop or flash drive, the Health Insurance Portability and Accountability Act (HIPAA) requires your lab notify the Office for Civil Rights. And if more than 500 individuals could be affected, you’ll have to provide public notice of the breach. Last week, Oregon’s Health CO-OP issued a press release about a stolen laptop. Although it reports no medical information was stored on the laptop it did contain member names, addresses, ID numbers, dates of birth and social security numbers. The organization is now incurring costs of providing free identity theft protection services for potentially affected individuals and staffing for an inquiry hotline.
As the Anthem and Premera hackings indicate, health care entities have to worry not just about lost or stolen laptops but deliberate hacking and other cybercrimes. On April 30, Partners HealthCare System began sending letters to patients potentially affected when information was accessed after employees fell prey to phishing emails, which “created an opportunity for unauthorized access to” workers’ email accounts and patient demographic information, according to a press release from Partners. An April 29 press release announcing the Cyber & Information Security for US Healthcare Forum, to be held in Orlando in July 2015, reports that “health care data security attacks” represent “42% of all major data breaches reported in 2014.”
Any time your laboratory faces a potential information security breach, the costs can be substantial—in addition to costs discussed above to protect individuals placed at risk by the breach, there are fines or penalties for violations of HIPAA or the FTC Act and even civil lawsuits like those currently facing Anthem and Premera. As we recently reported in G2 Compliance Advisor (GCA), a 2014 study by Ponemon Institute estimated the cost of a data breach to be around $200 per record in the United States, with the health care industry having one of the highest costs per record of all industries. The GCA article discusses measures laboratories can take to minimize their risk including encryption, firewalls, special attention to access points and using sandboxes and whitelisting. For more information, see the April 2015 issue of G2 Compliance Advisor.