South Shore Hospital To Pay $750,000 In 2010 Breach Settlement

Yesterday, South Shore Hospital and the Massachusetts Attorney General's Office both announced a settlement agreement regarding the hospital's 2010 data breach. the breach exposed the sensitive personal and medical information of 800,000 current and former patients, plus patients at Harbor Medical Associates and South Shore Physician Hospital Organization.

In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes to an off-site vendor, Archive Data Solutions, for erasure. The boxes contained the records of 800,000 patients. According to AAG Coakley's office, the hospital failed to inform Archive Data that boxes contained sensitive personal protected health information. Nor did the hospital determine whether Archive Data had sufficient data security methods to protect this sensitive information.

In June 2010, the hospital learned that only one of the boxes, shipped via several companies, arrived at its destination in Texas. The missing boxes have not been recovered. In a statement, AG Coakley emphasized:

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form... It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

According to terms of the settlement approved in Suffolk Superior Court, the hospital will pay a $750,000 fine which includes a $250,000 penalty and $225,000 for a data security education fund. The Massachusetts Attorney General's office will use the education fund to:

"... promote education concerning the protection of personal information and protected health information."

The payment is also reduced by $275,000 for expenses the hospital has already made for data security improvements. The HIPAA Privacy Rule specifies which health care organizations must comply with certain data security standards. the rule also defines what "protected health information" is: personally identifiable health care information in any format (e.g., print, electronic).

BCBS Of Tennessee To Pay $1.5 Million To HHS To Settle 2009 Breach

Blue Cross Blue Shield of Tennessee (BCBST) announced a settlement agreement with the U.S. Department of Health and Humans Services (HHS) about its 2009 data breach which exposed the medical records of about 500,000 patients in 32 states. Terms of the settlement agreement require BCBST to pay a $1.5 million penalty and submit to a 450-corrective action plan.

HHS had alleged in a lawsuit that BCBST had violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rules. The HIPAA Security Rules require covered health care organizations to notify affected individuals of any breach involving their health information, and to notify HHS and the news media about any breaches affecting more than 500 consumers.

HHS disclosed in a news release:

"... BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."

The 450-day corrective action plan requires BCBST to:

• Review, revise, and maintain its Privacy and Security policies and procedures,
• Conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and
• Perform monitor reviews to ensure BCBST compliance with the corrective action plan.

Utah Medicaid Breach Larger Than First Estimated

A data breach at the Utah Department of Technology Services (DTS), which operates computer servers that store Medicaid claims data for the Utah Department of Health (UDH), appears to have affected more consumers than first estimated. Late last week, the DTS reported that about 181,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients were affected. About 25,096 people of the 181k total had their Social Security numbers exposed/stolen.

Yesterday, the UDH disclosed a greater number of breach victims: an additional 255,000 additional victims had that Social Security numbers stolen, and an additional 350,000 had lesser personal information exposed/stolen. So, the total count is now 780,000 breach victims:

Medicaid claims typically include patients' names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and billing codes for medical procedures. The initial breach estimate was 24,000 records exposed/stolen. The breach investigation is still ongoing. UDH disclosed in a press release:

"DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state's data is secured, but this particular server was not configured according to normal procedure. DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again..."

The UDH is notifying all breach victims via a breach letter, but with a priority of first notifying the consumers whose Social Security numbers were exposed. These breach letters offer one year of free credit monitoring services. Other breach victims will receive a slightly different notice with information about how to further protect themselves. People with online access via the My Case web portal, were given breach notices both online at the web site and via e-mail.

When Worlds Collide

The Bright Side of Identity Theft And Fraud For Consumers

In a New York Times article titled, "The Bright Side Of Being Hacked," reporter Somini Sengupta described several benefits for corporations of a data breach via hacking. The article concluded:

"Rather, what Anonymous has done, experts said at the big RSA computer security conference here last week, is raise the alarm about the unguarded state of corporate computer systems."

Yes, raised awareness is a good thing, as was recently discussed about unsecured corporate video conferencing systems. Sengupta's articles reminded me of a blog post I wrote in 2010 which listed six benefits for consumers of being an identity theft victim:

"1. Awareness: After an identity thief has stolen your personal data, account credentials, and/or money consumers seem to have a new awareness of of the value of their sensitive personal data.
2. Acceptance and curiosity: after having their identity information and/or money stolen, there is an acceptance that identity theft is a problem. There is a curiosity to learn about other ways identity thieves and criminals might harm them, so they can avoid this painful experience in the future.
3. Willingness to change behaviors: Not knowing how to protect yourself is terrifying to most people. The pain from this terror seems to be sufficient incentive for consumers to change their habits (e.g., practice safe online shopping habits, check their credit reports for accuracy, use strong passwords at online sites, maintain anti-virus software on their home computer, etc.). Of the people I have talked with, after being an identity-theft victim, none want to return to their old ways.
4. Stronger consumer interest: along with this awareness about identity theft is an interest in products, services, processes, and/or laws that address and protect the needs and assets of consumers. Getting good customer service seems to become more important, too.
5. Gratitude and appreciation: before becoming a victim of identity theft and fraud, many consumers perceive warnings by consumer and privacy advocates to be unnecessary and overly cautious. Some have called me paranoid. After experiencing the pain of the theft and fraud, a different attitude emerges which includes a sincere appreciation for identity theft protection advice to help them fix their fraud problem, and a context for listening to future warnings.
6. Participation in our democracy: when the perception is that local or federal laws haven't kept up with business practices, some been motivated to write to their Congressional reps to demand action."

While, identity theft and fraud are painful experiences for consumers, these events can be a huge wake-up call for consumers to change their habits and practice better data security habits at home, at work, at ATM machines, at their doctor's office, at social networking websites, and with their mobile devices.

PHI Project Releases Report About Health Care Data Security

On Monday, the PHI Project released a report about the state of data security within health care organizations titled, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security." Key findings:

• Weak Data Security: health care organizations are entrusted with safeguarding patient privacy, but their security efforts are not keeping pace with the growing risks of lost/stolen protected health information (PHI),
• Data Breach Activity: the number and size of data breaches including PHI are increasing. The negative impacts are financial, legal, clinical, and reputational for the organizations experiencing data breaches,
• The PHI Project recommends that health care organizations implement a five-step method – PHI Value Estimator (PHIve) -- to evaluate the risks of a breach of PHI data, and implement preventative measures.

According to Rick Kam, president and co-founder of ID Experts and chair of the PHI Project:

“No organization can afford to ignore the potential consequences of a data breach... We assembled this working group to drive a meaningful dialogue on appropriate levels of investment to better protect healthcare organizations and PHI.”

The PHI Project is a partnership including the American National Standards Institute (ANSI) via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) -- with assistance from ID Experts.

How To Evaluate A Health Care Debit Card Plan From Your Employer

A blog post on Tuesday described Caren's experience with her United Healthcare Consumer Accounts Card, a specialized debit card her employer provided for Flexible Spending Account (FSA) expenses. That blog post highlighted what can go wrong with a health care debit card.

I wanted to take a closer look at the card agreement, and see what broader issues might apply in general. Today's blog post includes my findings about several items employees should be aware of when considering a health care debit card plan. I am not an attorney, so this is not legal advice -- just my observations and opinions as a consumer -- like you tyring to navigate a complex world. If you need legal advice, hire an attorney.

First, healthcare debit cards are similar to traditional debit cards, but with several important differences. Employees must understand how they work and when fees apply, just as you would with a traditional debit card with your bank checking account. So, it is important to closely read all appliable agreements, terms, or policies y to know your rights and responsibilities -- especially when bad things happen.

The introduction to the United Healthcare Consumer Accounts Card agreement (Adobe PDF; which is also available here) lists some important warnings:

"At the register or cashier: This is not a credit card, but you will need to choose “credit” when making purchases... At the pharmacy, supermarket or other retail store: Pay for eligible over-the-counter (OTC) supplies and materials. Please note: The card will be rejected if purchasing OTC medicines, even when prescribed..."

Select "credit" at the point-of-sale even though the card says "Debit" on its face? Prescribed OTC medicine will still be rejected? These exceptions sound like a recipe for employee confusion and rejected purchases. While the agreement states that it is a MasterCard Debit, I wonder if the bank tweaked a traditional credit-card payment solution for health care purchases and rushed it to market without removing all the bugs first.

What comes to mind is that old saying: never buy the first year of a new car production (and wait until the manufacturer gets all of the bugs out). Seems to apply to payment solutions, too.

Section #2 of the same agreement states:

"When you use the Card, you represent and warrant that you will not submit, and have not previously submitted, a claim for reimbursement for the same expenses under any other plan or program. You agree to save all invoices or receipts that are provided to you by merchants and service providers when you use the Card. You agree to provide a copy of any such receipt to us or United Healthcare, promptly on request. If you fail to submit a receipt when it is requested, under IRS rules, the amount in question may not be excluded from your gross income for federal tax purposes or may otherwise result in financial penalties to you. Your use of the Card is subject to the terms and conditions of the Plan, as well as the terms and conditions of this Agreement..."

So, employees must still save all purchase receipts. The health care debit card doesn't eliminate all paperwork. The last sentence in the above clause is important because it highlights the fact that several policies apply. It would be helpful if this agreement listed all applicable policies. My estimate is that at least five different policies apply:

1. Consumer Accounts Card Agreement,
2. United Healthcare HIPAA Privacy Policy,
3. Any additional policies at myUHC.com,
4. Employee handbook or manual,
5. Optum Bank policy

Employees should not have to guess which policies apply. It would be best for employees if a single, consolidated policy applied, but unfortunately American business does not operate that way today.

Let's return to the Consumer Accounts Card agreement, which also states:

"You agree that you will only use the Card to pay for eligible expenses under the Plan... if you use the Card for anything other than an eligible expense, you will be liable for any taxes, penalties and other expenses payable under applicable law and any expenses we, United Healthcare or your employer may incur as a result of such impermissible use. Upon demand, you agree to reimburse us, United Healthcare or your employer, as the case may be, for any such use for non-eligible expenses..."

While employees may think that ineligible FSA expenses are automatically blocked at the point-of-sale, the agreement governs what really happens. The Consumer Accounts Card payment process may indeed block some ineligible purchases, but United Healthcare and the bank seem to have left themselves a convenient loophole where employees are still liable. It would be helpful if the agreement stated what those amounts of taxes, penalties, and other expenses could be. It seems risky to use a debit card when you don't know the exact amount of fees that might apply.

Second, employees should be aware of their responsibilities to avoid liability. The "Consumer Liability" portion of the agreement states:

"Tell us AT ONCE if you believe your Card has been lost or stolen. Telephoning is the best way of keeping your possible losses down. If you tell us within 4 business days, you can lose no more than $0 if someone used your Card without your permission. (If you believe your Card has been lost or stolen, and you tell us within 4 business days after you learn of the loss or theft, you can lose no more than $0 if someone used your Card without your permission.)"

This four-day time period seems unreasonably short. My bank allows 60 days from my statement to dispute a charge on that statement. Does United Healthcare expect employees to check their online FSA account every four days? The next portion of the agreement states what happens when employees provide notice after the four-day window:

"If you do NOT tell us within 4 business days after you learn of the loss or theft of your Card, and we can prove we could have stopped someone from using your Card without your permission if you had told us, you could lose as much as $50."

Now, the liability sounds more like the liability with a traditional credit card: $50. What I find troubling about this clause is that it assumes traditional theft or loss. This blog has documented numerous examples of identity thieves plant skimming devices inside point-of-sale terminals at gas stations, supermarkets, and other retail stores to steal consumers' data to clone debit cards. Since employees are forced to use health care debit cards at retail stores, a more relevant agreement would provide tips about what to do if they believe their card has been cloned. Perhaps the myUHC.com site explains this, but I don't have a myUHC.com account.

The agreement also states (emphasis added by me):

"... if the statement you receive from the Plan administrator shows transfers that you did not make, tell us at once. If you do not tell us within 90 days after the statement was mailed to you, you could lose as much as $50 if we can prove that we could have stopped someone from taking the money if you had told us in time."

Again, that sounds like traditional credit card liability (e.g., $50), but at least the window for notice is longer at 90 days. Why lead with the four day clause? It seems unnecessary. In Caren's case, it seems that United Healthcare is enforcing the 90-day clause. What I find troublesome about the above clause is that it assumes paper statements sent via postal mail. In reality, employees' statements are available online. Nothing is sent via postal mail. So, why write the agreement assuming this? It sounds like the card agreement was rushed to market without all the bugs removed.

Another portion of the agreement states:

"ALL QUESTIONS ABOUT TRANSACTIONS MADE WITH YOUR CARD MUST BE DIRECTED TO THE BANK, AND NOT TO YOUR EMPLOYER OR PLAN ADMINISTRATOR. The Bank is responsible for issuing the Card and for resolving any errors in transactions made with your Card. The transactions will appear only on the statements provided to you by the Plan administrator."

It would be helpful if the agreement listed the bank's phone and postal address information. I couldn't find it in the agreement. The agreement lists United Healthcare's phone and postal address information. In my experience, well-written agreements provide both phone and postal address information with any instructions where consumers should give notice. Perhaps, the other policies provide this information, but I don't have a myUHC.com account.

SO, let's see if I got this correct. The agreement directs employees to contact United Healthcare for transfers the employee didn't make, but contact the bank about statement "errors."What's the difference? How are employees to tell? This sounds confusing.

It troubles me that the above clause mentions "errors" and doesn't mention "fraud." I would expect any bank to aggressively investigate suspected fraud. The fact that Optum Bank's flow of funds page still presents a 2008 copyright does not give me much confidence in the bank:

If something this simple still says 2008, what else has this bank missed? Or, should consumers conclude that the Optum web site hasn't been updated in four years? Or is this flow-of-funds information that is four-years old and/or obsolete? I would expect more timely and current information from any bank -- especially one processing my extremely sensitive health care information.

The "Fees" section of the agreement states:

"OptumHealth Bank does not charge usage fees for this card."

No fees are good, because banks can apply a wide variety of fees to debit-card accounts.However, it means that employees should monitor any changes in the card agreement. Things might change with new fees introduced. So, employees should read any updates to the card agreements or policies with their health care debit cards.

Now, let's return to Caren's story. The fact that Caren never used the Medco online pharmacy should be a huge "red flag" to Optum Bank, Large HR Firm, and United Healthcare. It suggests that Caren's payment information was stolen. The payment data on Caren's Consumer Accounts Card could have been stolen via a skimming device, which identity thieves plant inside point-of-sale terminals at retail stores and gas stations -- not just at bank ATM machines.

If Caren's Consumer Accounts Card was not cloned via skimming device theft, then a couple other options are possible. The pharmacy may have re-submitted the purchases it originally rejected -- and if so, it should have notified Caren, and reimbursed her for the purchases she paid out-of-pocket. Caren could test this by using a different pharmacy. If the duplicate charges don't happen at the second pharmacy, then it is reasonable to assume a problem at the first pharmacy. If the duplicate charges continue, then it seems safe to assume that her debit payment data was stolen.

Insider identity theft is always a possibility. It's harder for employees to spot, but it does happen.

What should employees do if your employer offers a specialized debit card for healthcare expenses? I suggest the following steps:

• Read all applicable policies to know your rights and responsibilities -- especially before registering for a FSA with your employer. Your employer may have negotiated a really good deal for its employees, or not. Don't blindly assume so; read the fine print in the agreement first. Part of evaluating if it's a good deal is looking for certain clauses in the agreement -- like the ones listed above. If you have difficulty reading contracts, get help from a trusted friend, family member, or attorney if you can afford one.
• Use the Internet to find reviews written by employees about their health care debit card plan. Places I like to look include Consumer Reports, The Consumerist, and Epinions.
• File a police report with local law enforcement. (In Caren's case, somebody spent money from her FSA account without her authorization. That is theft.) Insist on law enforcement accepting the report. Make several copies. Attached the police report to any complaints filed with your employer, the FSA healthcare administrator, and the bank,
• Use a different pharmacy. If the duplicate charge problem stops, it is reasonable to assume a problem at the first pharmacy, and file a police report accordingly,
• If you feel that you aren't getting the services promised by the bank which processes your health care debit card transactions, learn about how to file a complaint against your bank.
• File a fraud complaint with the U.S. Federal Trade Commission (FTC) including any relevant documents (and non-action by employer, HR Firm, health care firm, and bank). This will help the FTC track any emerging theft trends with health care debit cards.
• If there is no action by the employer, HR Firm, healthcare firm, and/or bank), write a letter to your federal or state elected officials asking for help. It's part of their jobs -- to help their constituents.

Is the United Healthcare Consumer Accounts Card a good deal? Only you can decide for yourself, as everyone's needs are different. Hopefully, I have highlighted the things consumers should look for in any health care card agreement, so you can make an informed decision.

If you use a specialized debit card for health care expenses, what has been your experience?

A Debit Card Cautionary Tale

[Editor's Note: today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. Michelle helps others improve their use of technology in their personal or professional life. Today, she tackles what I believe will become a huge identity-theft problem. As employers lower their administrative costs by outsourcing payment systems that include debit-card transactions, the result is a more complicated, patchwork mix of companies where it is not easily clear who is responsible when bad things happen.]

By R. Michelle Green

At a business conference I attended, the topic turned to health care insurance administration. Some of the attendees now have new debit cards they didn’t ask for. Their employers gave them debit cards for their health care expenses (to access their Flexible Spending Accounts). Instead of having to submit receipts, employees offer the card at the point of sale. If s/he tries to charge more than allowed, or tries to charge things that are not acceptable, the card is rejected. Easily fits into the distributor’s payment systems (cash credit debit), no paperwork for the employee, less evaluative work for the FSA provider. Everyone wins, right?

Not everyone.

Meet Caren (not her real name, of course). She offered her new debit card -- her's is called a United Healthcare Consumer Accounts Card -- for prescription meds in January last year. However, the purchase was rejected by the pharmacy. She assumed it was a glitch, and paid for it herself. While this eventually happened every time, she doesn’t have medical charges every day, so it took a while to recognize that the card never worked. For reasons not relevant here, she did not pursue this with the provider until the fall, only to discover that all her money had been used up on health care charges she didn’t make.

She spoke with United Healthcare using the phone number on her Consumer Accounts Card. She submitted all her information in writing as they requested. They produced a sheet showing that her charges mostly matched (about 70%) identical charges paid 1-2 business days after hers. Though they did not accuse her of fraud, they did say the case was closed and did not merit an appeal. When she approached her human resources provider, he said, well at least she got the tax break. (!) She didn’t get a tax break, she got a salary reduction! She was deprived of access to her own money, set aside from her salary. The debit card agreement online says that she should call the bank operating the card, but that hasn’t proven productive either.

Had a second card been issued to someone else, we wondered? Not to her (or to the bank’s) knowledge. Did the drugstore have signatures on the other charges ostensibly hers? The other charges were mail order charges through Medco, so no receipts or signatures. She has no account with Medco. The pharmacy is not interested in pursuing this, they’ve been paid (perhaps twice!). Medco won’t address it, as she is not a client. The debit card provider only knows the money is spent. The FSA account holder is satisfied that it was spent for the right things. Only Caren is out of pocket and disadvantaged. Doubly so – this was so traumatic that she did not enroll in FSA this year. That makes her ineligible for the associated tax benefit in 2012.

Turns out our blog host is interested in the way financial systems are evolving, and found this issue particularly interesting. There are a lot more parties in the mix than you might at first think. Caren has an employer small enough that it purchases human resources expertise from a national firm. So there’s Caren, Small Firm, and Big HR Firm. Big HR Firm takes the money from her account and sends it somewhere based on their agreement with United Healthcare. Her debit card is managed by United Healthcare, and Optum Health Bank administers that card for them. Optum Health Bank has a subsidiary, Optum Financial, that handles the flow of money from the holding account to the point of sale. And what about the pharmacy: could their processes have been compromised as well?

I read a lot about fraud and scams, and wondered if this could be the tip of a software theft operation, selecting certain customers, and duplicating certain customers’ receipts, at just low enough rates that they are not perceived. (Good movie, eh? But Occam’s Razor says: not likely.) But who is the person with enough clout to investigate this, particularly if no one person or entity loses big bucks?

Today she tweeted that she had heard from Big HR Firm – there’s nothing they can do. So who’s responsible? Several corporations are in play; doesn’t each have a responsibility to Caren? Who can help her?

Data Breach Via Insider Identity Theft at North Carolina Hospital

The Data breach cause that scares me most is insider identity theft because it involves employees that should be trustworthy, and aren't. It also emphasizes that the company, hospital, or government agency have an aggressive "red flags" program in place to monitor who accesses sensitive consumer information (e.g., customers, patients, clients, employees, contractors), and compliance with data security policies.

Yesterday, the News-Record reported a data breach involving protected patient information at High Point Regional Health System. An employee took home 47 patients' files, and later returned them. Officials believe the data breach occurred between September 14 and October 6. Hospital representatives learned of the breach last month by an employee at Premier Imaging LLC, a hospital subsidiary. The employee has since been fired.

The breached records included patients' names, residential addresses, dates of birth, Social Security numbers, driver's license numbers and insurance information -- all of the critical data elements for thieves to assume another person's identity and do significant damage with health or financial accounts. An investigation by the health system could not determine whether the former employee has any patient information in her possession or has used it in any way.The hospital has notified affected patients, and arranged an identity protection service for the affected consumers.

Specific data security rules exist for hospitals and health care organizations. According to the Health & Human Services website, the information that must be protected includes:

"Information your doctors, nurses, and other health care providers put in your medical record; conversations your doctor has about your care or treatment with nurses and others; Information about you in your health insurer’s computer system; billing information about you at your clinic; and most other health information about you held by those who must follow these laws."

The companies that must follow this law are called "covered entities," and include doctors, pharmacies, nursing homes, HMO's, health plans, health insurance companies, and vendors hired under certain conditions.

Data Breach Affects 4.9 Million Active And Retired Military Personnel And Their Families

TRICARE Management Activity, the health care program for military personnel worldwide, reported last week a massive data breach involving the personal and medical records of 4.9 million active and retired military personnel and their families. The backup computer tapes, stolen from a contractor's automobile, included records from a military health system that captured patient data from 1992 to September 7, 2011. The lost/stolen information included:

"... Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information..."

In its press release, TRICARE stated that it will take about four to six weeks to notify directly all breach victims. A breach investigation is underway. The contractor company is Science Applications International Corporation (SAIC). SAIC is operating an Incident Response Call Center, which breach victims can call. Breach victims should monitor their credit reports, and report any fraud to the U.S. Federal Trade Commission and to local law enforcement.

While TRICARE estimated the risk to breach victims as low, and stated in its press release that special computer hardware and software are required to access the data on the backup tapes. Based on this estimate, TRICARE is not offering breach victims complimentary credit monitoring or credit resolution services. In my opinion, that is unacceptable and not the way to support the troops. It places the burden on troops who are busy defending the country, often at risk of life. It is a time consuming and burdensome process to fix medical records that co-mingle both the victim's and the fraudster's health history. TRICARE and SAIC are responsible for maintaining adequate data security, and should do the right thing: provide free credit monitoring and credit resolution for two to five years to breach victims.

If there is one thing I have learned while writing this blog is that identity thieves and fraudsters are persistent, and often have access to the same computing resources that everyone else has. Simply, it may take time for the criminals to access the stolen data, and the criminals have the time. The value of the stolen data is unquestionable, and is sufficient for identity thieves to obtain medical care fraudulently, assume others' identities, and/or reuse the Social Security numbers for other identity fraud acts or fraudulent employment.

SAIC describes itself as:

"... a FORTUNE 500® scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. We do this with the constant and deliberate commitment to ethical performance and integrity that has marked SAIC since its founding."

Refusing to help breach victims by avoiding to pay for credit monitoring and resolution services does not demonstrate any type of "commitment to ethical performance" or problem solving. Rather, it is hoping the problem will simply go away, and leaves the breach victims with the monitoring and cleanup burden. To use an American football analogy, TRICARE and SAIC have simply punted the football.

Interested military personnel and families should read the TRICARE press release with accompanying questions and answers (PDF).

If you agree and believe that both TRICARE and SAIC should do more, share your opinions below and at:

• SAIC: Facebook, Twitter
• TRICARE Management Activity: Facebook, Twitter

Doctor Paid $40K For Illegal Disposal Of Patients' Files

Last week, North Carolina Attorney General Roy Cooper announced that Dr. Ervin Batchelor, owner and operator of the Carolina Center for Development and Rehabilitation (CCDR), has paid $40,000 for the alleged illegal disposal of patients medical records.

In June of 2010, the CCDR dumped 1,000 patient files at the West Mecklenburg Recycling Center. The files contained names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, insurance account numbers, and health information for 1,600 people. Mecklenburg County officials contacted the Attorney General’s Office, which then launched an investigation into the illegal dumping.

Besides the fine, Dr. Batchelor has agreed to comply with both state and federal data security laws to protect patients' personal financial and medical information. The CCDR has already notified patients of the data breach. North Carolina law requires businesses and local government agencies to notify consumers affected by a data breach.

In North Carolina, organizations must also report data breaches to the Consumer Protection Division. A total of 889 breaches involving information about more than 3.3 million North Carolina consumers have been reported since state laws on security breaches took effect in 2005 and 2006. AG Cooper said:

“Any business you entrust with your information has a duty to keep it safe. Sensitive financial and health information should never be carelessly dumped, putting customers and patients at risk of identity theft.”

I agree. This is a good example of why it is important for all organizations that archive consumers' personal medical and financial information should have data security procedures in place to prevent data breaches. Unfortunately, several special interest groups have lobbied the U.S. Congress for exemptions to Red Flag Rules, notably physicians and accountants. Special interest groups often claim that the Red Flag Rules are an unnecessary and cumbersome burden.

Well, post data breach responses are a huge burden on organizations. The above fine is one of many costs. And, the improper disposal or theft of consumers' sensitive personal financial and medical information is a huge burden on consumers. Instead of wasting time and resources looking for ways to avoid protecting consumers' information, these groups should be doing the opposite. Protecting consumers' data is in both their and consumers' best interests.

Attorneys General Increase Enforcement Of State Data Breach Laws; WellPoint To Settle Class Action Lawsuit

One way to understand what organizations and executives should know about data security and data breach laws is to read about the advice their law firms provide. The law firm of Dickstein Shapiro advises its corporate clients on several topics including dispute resolution, corporate finance, energy, government law, government contracts, public policy, and intellectual property.

In an alert to its clients, the firm discussed the recent settlement agreement between WellPoint and the State of Indiana Attorney General Office:

"... the AG settled with WellPoint for violations of the State's data breach notification law (although, notably, not for violations of federal health care data protection rules under HIPAA)... Wellpoint notified affected customers three months after it had corrected the problem. Additionally, WellPoint did not notify the AG of the breach. Under the settlement, WellPoint was required to: (1) pay a $100,000 fine to a state fund providing restitution to defrauded consumers; (2) provide up to two years of credit monitoring and identity theft protection to each person exposed; and (3) provide up to $50,000 to address further losses each person exposed might experience."

About the proposed Federal data breach legislation, the alert said:

"Until there is a comprehensive data protection and notice law at the federal level applicable to businesses generally, AGs will continue to be aggressive in enforcing their States' data breach notification and data privacy laws. At present, 46 States have data loss notification laws, and the majority of States also have laws requiring that businesses protect customer and employee data. AGs have used these laws to obtain substantial settlements, protect consumers, and change business practices."

About medical records data security, the alert said:

"State AGs also have the authority to enforce federal data breach notification laws governing protected health information. The HITECH Act, Title XIII of the 2009 stimulus bill (the American Recovery and Reinvestment Act) imposes notice obligations on entities covered by HIPAA when they experience a breach affecting protected heath information and allows for enforcement of the Act by State AGs using their parens patriae authority. AGs may bring a civil action in federal court for injunctive relief or monetary penalties... AGs also may seek to recover costs and reasonable attorneys fees incurred in prosecuting a successful action."

According to American Medical News, WellPoint has agreed to settle the class-action lawsuit filed in California. The terms of the reported settlement agreement seem similar to the terms of the agreement with the Indiana AG. The class-action settlement includes:

• Two years of credit monitoring service for all breach victims
• Reimbursement to class-action participants for identity theft losses of up to $50,000 per incident,
• Extended time to file identity theft claims until May 31, 2016,
• Class-action participants filing claims are eligible for an additional five years of credit monitoring, and
• WellPoint will donate $250,000 total to two nonprofit organizations involved with consumers online privacy

Comparison Of The Current Data Breach Bills In Congress

There is a good article by the Center For Democracy And Technology (CDT) which compares the current data breach bills in the U.S. Congress. I discussed this proposed legislation in this prior blog post. The CDT reported:

"... there are a number of pending data breach bills, including Representative Rush’s DATA, Representative Bono Mack’s recently marked up SAFE Data Act, and Senators Pryor and Rockefeller’s (acronym-free) Data Security and Breach Notification Act. Other pending legislation, including Senator Leahy’s Personal Data Privacy and Security Act as well as the White House’s Cybersecurity Proposal, also addresses data breaches."

This proposed legislation is important because:

"Current federal law requires notification of consumers in the event of a breach only in limited circumstances, while nearly every state has its own version of a data breach law. Congress is now looking to simplify data breach laws with a national standard, but the question is whether such a standard would be a step forward for consumers. It’s an issue, that CDT has been following since at least 2005."

Whenever politicians want to "simplify" something, it's usually time to start worrying. What may be simpler for corporations and organizations could place consumers' sensitive personal information at risk. And, the usually players will argue about the cost burdens on companies. Let's remember the burdens on consumers, too, who typically have fewer resources.

When I read proposed legislation, I consider it effective data breach legislation when it addresses all of the following components:

1. Definition of personal information. This can be tricky. Just as there are various data elements available about consumers today (e.g., GPS location data attached to photos, images, tweets, social media posts, etc.) that didn't exist 5 or 10 years ago, future technologies will contain new data elements that don't exist today.
2. Define organizations covered by this law. It should cover all organizations in both the private and government sectors. in prior "Red Flag" legislation, attorneys gained an exclusion
3. Dictate how data should be protected (e.g., if electronic records, then encryption) both during transmission and during storage. The legislation has to assume that a variety of identity-theft criminals and hactivists will continually attempt to hack or breach websites containing sensitive consumer information. Prior legislation seemed to assume the traditional data storage within a company's premises. Futurre legislation must assume traditional and cloud-computing storage. Ideally, certain types of sensitive personal information shouldn't be "stored in the cloud."
4. Define the types of events (e.g., a minimum number of records exposed, doemstic locations, international lcoations) that trigger notification
5. Define the parameters of notification (e.g., personal letter via snail mail, ads in news media)
6. Define the assistance provided to breach victims (e.g., consumers, employees, customers). There is no standard definition of "credit monitoring" which may or may not include credit monitoring, quarterly or real-time updates, real-time notices, credit resolution, insurance, and credit scores. Typically, companies offered one or two years of free credit monitoring services. This length is insufficient given the high value and long life of various data elements (e.g., Social Security Numbers).
7. Effect on state law. According to the National Council of States Legislatures (NCSL), at October 2010 about 46 states in the USA plus Puerto Rico and the U.S. Virgin Islands have breach notification laws. The four states lacking breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota. Weak federal legislation that supercede state law would be a step backwards for residents in states with strong breach notification and data security laws.
8. Fit with existing law. There are existing laws for medical and financial informaton. New breach legislation should not weaken these existing laws.
9. Contain sufficient penalties for violators. This can't be a simple "slap on the hand," and must contain sufficiently high fines and/or jail time for repeat offenders.

WellPoint To Pay $100K Settlement To State of Indiana For Data Breach

On Tuesday, the State of Indiana Attorney General Office announced an agreement with WellPoint regarding the health care insurer's data breach in 2010. WellPoint will pay the State $100,000 for the breach with exposed the sensitive personal information of 32,051 Indiana residents. The settlement resolved a lawsuit that Indiana Attorney General Greg Zoeller's office filed under a new data-breach notification law passed in 2009.

A faulty website security update exposed the personal, financial, and medical information of about 470,000 consumers nationwide, including about 5,600 in Connecticut and 230,000 in California. The breach victims included patients who used the company's website to apply for individual health insurance through WellPoint subsidiaries (Anthem Blue Cross or Anthem Blue Cross and Blue Shield) in 10 states.

The data breach exposed consumer information from October 23, 2009, to March 8, 2010. A consumer alerted WellP:oint on February 22, 2010, and again on March 8, 2010, that records containing personal information were potentially accessible. Upon notification, Affected consumers were notified about the breach starting June 18, 2010. Indiana Attorney General Greg Zoller said:

"This case should be a teaching moment for all companies that handle consumers' personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the Attorney General's Office and consumers promptly. Early warning helps minimize the risk that consumers will fall victim to identity theft."

I agree. Breach detection, early notification of consumers, and prompt action are essential. I only wish the settlement amount was larger.

A Second Data Breach at Health Net Affects 1.9 Million Consumers

On Monday of this week, Health Net announced a data breach and the company's ongoing investigation into lost/stolen server drives from its data center in Rancho Cordova, Calif. According to the press release:

"This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives. After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information."

This is interesting for several reasons. First, the Health Net press release didn't disclose either the number of lost/stolen server drives, nor the number of consumers' records lost/stolen. That's usually a bad sign that the breach is a huge one. The California Department of Managed Health Care (DMHC) issued a statement (43k bytes; PDF document) that the Health Net breach included 1.9 million current and prior Health Net customers nationwide, including:

"... more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare."

The DMHC is rightly concerned and conducting its own investigation. The DMHC statement also said that nine (9) Health Net server drives were missing.

Second, the above Health Net press release mentioned the name of an IT outsource vendor I recognized, IBM. I have had some direct, personal experience with an IBM breach. And IBM's involvement in the Health Net breach has a twist of irony.

After its 2007 data breach, IBM never disclosed what actions it took, if any, with the outsource vendor it hired to ship its backup computer data tapes to an off-site facility. Did IBM fire its vendor, or were specific vendor's employees disciplined or terminated? We never learned what happened. Now, to use a common expression, "the shoe is on the other foot" as IBM is the vendor involved in its client's data breach.

Third, this is the second huge data breach at Health Net. In November 2009, Health Net suffered a huge data breach. That 2009 data breach included hard drives, too, where the sensitive personal data lost/stolen included the Social Security numbers, medical records and health information dating back to 2002 of 1.5 million past and current customers in several states. During the last few months, Health Net paid fines to several states to settle the 2009 breach. Several states' attorney generals alleged that the 2009 breach violated the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), and some states' local laws.

Fourth, ABC News focused its coverage on the delayed notification. Apparently, Health Net learned about the missing server drives in February, notified the California Attorney General's office on March 4, and then notified the public on March 14. The delay in notificaton was part of the rationale for the settlement fines Health Net paid as a result of its 2009 data breach.

Fifth, the Connecticut Attorney General's office has demanded that Health Net provide identity-theft and credit protectons for 25,000 Connecticut residents affected by the data breach. In its breach announcement, Health Net has hired Debix (again) to provide two years of complimentary identity-theft and credit protection for breach victims.

Sixth, the nationwide impacts of the Health Net data breach are jsut becoming known. About 40,000 consumers in Washington state have been affected. I expect more states' regulatory agencies and/or attorney generals to issue statements about the impacts in their states.

After such a huge data breach in 2009, you'd think that the executives at Health Net would "get it," implement tightened data security, and implement both new data security policies and employee training to prevent another massive data breach. Well, another massive breach happened. As a wise person once said, actions speak louder than words.

I am hoping that the consequences for Health Net executives include much more than fines. Executives need to be fired and/or jailed. What do you think? What action, if any, should Health Net take with its outsource vendor, IBM?

Report: Health Care Industry Privacy, Security, and Data Breaches

Last month, the Deloitte Center for Health Solutions released a new report, "Privacy and Security in Health Care: A Fresh Look." The report identified the risks about privacy and security breaches within the health care industry, and recommended solutions for health plans, information technology vendors, and both federal and state health agencies.

The report found several reasons for increased risks:

• Lack of internal resources (human resources and capital)
• Lack of internal control over patient information
• Lack of upper management support
• Outdated policies and procedures
• Inadequate training of staff and personnel

According to Paul Keckley, Ph.D., and executive director of the Deloitte Center for Health Solutions:

"Medical fraud is a serious issue, and 67 percent of consumers we polled believe fraud has a major influence on driving up the overall cost of healthcare."

The Health Insurance Portability and Accountability Act (HIPAA), enacted in April 2003, requires health care organizations to report data breaches of 500 or more records. Deloitte analyzed the breaches by organization type:

• 71% - Health Care Provider
• 16% - Health Plan
• 14% - Hybrid Entity

About one-third of all health care breaches result in medical identity theft; patients' health records were used by identity criminals. Deloitte also analyzed the data breaches by equipment type:

An important summary:

"The total economic burden created by data breaches in the health care industry is nearly $6 billion annually. The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580."

Located in Washington, D.C., the Deloitte Center for Health Solutions is the health services research unit of Deloitte LLP, the accounting and consulting company.The unit provides research for various Deloitte operations. Its research activities focus on three areas:

"1. Health policy and health reforms in the U.S. health care system;
2. Disruptive innovations that result in innovative solutions to improve efficiency and effectiveness, and
3. Consumerism, incorporating how end users of health goods and services think and behave."

The report does a good job of explaining the status of various legislation (e.g., HIPAA, ARRA, Red Flags, HITECH) about data security for the health care industry. The report also provides a glossary of terms.

Given the risk factors, the ongoing history of data breaches, and the rapid pace of change with new technologies (e.g., mobile devices), I don't see this situation improving quickly nor soon. To learn more, download the Deloitte Center report (595k bytes, PDF).

Mass General Pays $1 Million Fine For Data Breach

Last week, the Department of Health and Human Services (HHS) announced that it had reached a settlement with the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General). Mass General agreed to pay the U.S. Government $1 million:

"... to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule..."

The "potential violation" is from a March 2009 data breach which included:

"... the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS... Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule."

The impermissible disclosure of PHI included the loss of:

• Documents containing patient schedules with names and medical record numbers for 192 patients,
• Billing forms containing the name, date of birth, medical record number, health insurer, policy number, diagnosis, and name of providers for 66 of the 192 patients

A Mass General employee left the records on a subway train while commuting to work. The records were never recovered. As part of the settlement, Mass General signed a Resolution Agreement with HHS that requires it to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients.

Health Net: The Cost of a Data Breach

You may recall, in 2009 a data breach at Health Net exposed the personal and medical information of 1.5 million patients in several states: Arizona, Connecticut, New Jersey, New York, and Vermont. Some updates:

• The Hartford Courant reported that the State of Connecticut fined the insurer $375,000, as the breach affected 446,000 Connecticut residents
• The insurer will pay a $55,000 fine to the State of Vermont for failing to notify affected Vermont residents of the breach
• In July 2010, the insurer had settled with the State of Connecticut for a $250,000 fine and a "Corrective Action Plan" to prevent future breaches

The actual costs to the insurer are far more, including the cost of security investigations, internal process and data security changes, two years of paid credit monitoring service for breach victims, and legal fees.

Statistics: Data Breaches With Patients' Personal Health Information

Data security in hospitals and health care organizations is far from what it should be. The HIPAA blog reported that as of January 5, 2011 there were 217 reportable data breaches affecting 6.3 million people. "Reportable" according to HIPAA rules is a single breach event affecting at least 500 people that must be reported to HHS. The HIPAA blog noted:

"... Over half [of breach events] are the loss or theft of some computer device or media, and half of those are lost/stolen laptops. All of those cases involved unencrypted information on those laptops and computer devices. If that information had been encrypted, there would have been no need to make a report."

If you don't know, HIPAA = Health Insurance Portability and Accountability Act of 1996.

South Shore Hospital Post-Breach Response And Medical Data Security Workshop

This organization's post-breach response has been disappointing. First, some background. Weymouth Massachusetts-based South Shore Hospital (SSH) announced in July a data breach that affected 800,000 patients (and former patients), including patients also at Harbor Medical Associates and South Shore Physician Hospital Organization. The computer files in that breach contained patients' medical and financial information that was not encrypted. Encryption is preferred because it makes it difficult for identity thieves to access and use stolen information.

During July, the hospital also posted a sample breach notification on its website. The good news: that sample notification provided instructions for breach victims to protect themselves and their sensitive personal/medical information. The bad news: breach victims will learn this only if they heard or read about it in various news reports, blogs (like this one), or visited the hospital's website. SSH did not notify breach victims directly.

Earlier this month, in a statement at its website SSH announced the completion of its breach investigation. SSH engaged Huron Consulting (PDF document with investigation report) to assist with the breach investigation. In a statement about the breach investigation, SSH:

"... concluded that there is little to no risk that information on the files has been or could be acquired, accessed or misused based on the following key investigation findings: The back-up computer files were stored on unmarked computer tapes that were packed in three sealed boxes... South Shore Hospital, the private investigation team, and Ohio-based R+L Carriers – the company that transported the files for offsite destruction – conducted multi-state searches for the two missing boxes... two boxes of computer tapes are believed to have been disposed of in a secure commercial landfill that R+L Carriers uses to dispose of unclaimed materials and are therefore unrecoverable... Even if the computer tapes were found, Huron’s experts have concluded that specialized equipment, proprietary software, sophisticated knowledge, time and financial resources would be required to access, aggregate, interpret and ultimately use information on the files."

To summarize, three companies, including the one that originally lost the computer tape shipment, looked high and low for the lost/stolen shipments. The believe that it ended up in a secure landfill. And breach victims are supposed to believe that this is okay.

What? Believing a thing does not make it so. After three years of writing this blog, I have learned that identity thieves are persistent and creative. Does SSH really believe that criminals won't open sealed boxes. Does SSH really believe that identity criminals wouldn't be curious about what is on unmarked computer tapes? SSH's above statement stretches believability and insults consumers' intelligence.

Plus, "little to no risk" does not mean zero risk. What is "little risk?" Five percent, one percent, or half of one percent? Risk is personal. What one person considers risky another may not. Would you feel secure with a 5% chance that your sensitive personal and medical information could be abused and misused? Breach victims deserve better: to be directly notified and fully informed. Breach victims have the right to decide for themselves what risk they want to assume.

Plus, should identity thieves use the stolen information the risk is to the breach victims who will likely be the first to notice the problem on Explanation Of Benefits statements, when reading their medical records, or when accessing health care services. I find the part about "specialized equipment, proprietary software, sophisticated knowledge, time and financial resources" debatable since identity criminals regularly develop and distribute sophisticated computer viruses, phishing emails, and phishing websites. The continual flood of phishing scams indicates that scammers around the planet make money with identity theft and fraud. If they didn't make money, the phishing scams would stop.

Stricter data security regulations went into effect in Massachusetts in March. Moreover, Massachusetts' 2007 breach notification law requires organizations to notify breach victims individually, with this exception for "substitute" notification:

"... if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice."

Apparently, the hospital is using "substitute" notification for its breach response: notices at its websites and in newspapers. More likely, the hospital is trying to minimize total post-breach costs, which usually include notification, legal fees, fines, and complimentary credit/medical monitoring services.

The Massachusetts Attorney General's office issued this response about SSH's decision not to notify breach victims individually:

"The Attorney General’s Office has objected to South Shore Hospital’s revised notification plans and maintains that affected consumers should receive individual notification as originally represented by South Shore Hospital in its prior public announcements concerning the data loss. The Attorney General’s Office will continue to monitor and investigate South Shore Hospital’s actions..."

I wonder what breach victims (e.g., patients and former patients) think of SSH's post-breach response. Other hospitals and health care organizations (e.g., AvMed and BC/BS of Tennessee) notified their breach victims individually and provided complimentary credit/medical record monitoring services. Insurer Health Net chose not to notify its breach victims and was investigated by several states' attorney general offices.

Prior research indicated that data security at hospitals is poor. It seems to me that breach victims want SSH to demonstrate with its actions that it is doing everything to protect their sensitive personal and medical information. That includes both effective data security methods to prevent breaches, and helping patients protect themselves after a data breach. After all, the breach was SSH's fault (via an outsourced vendor) and not the patients' fault.

A comprehensive and consumer-friendly breach response means doing more than the legal minimum. SSH's post-breach seems like the hospital is cutting corners. If the hospital cuts corners here, I wonder where else it cuts corners in its operations and data security. Knowing all of this, would you go to SSH for health care?

To learn more about these breach notification and related medical data security issues in general, there will be a workshop Tuesday September 21 about HIPAA, HITECH and the new Massachusetts data security laws that became effective in March 2010 (e.g., MA 201 CMR 17). The workshop, sponsored by Sophos and the Mintz Levin law firm, will discuss related compliance, legal, technology, and security issues with medical information. Scheduled speakers include representatives from the Ponemon Institute, Mintz Levin, Sophos, and MFA Cornerstone Consulting.

This workshop seems especially appropriate and timely given the SSH data breach and the hospital's post-breach response. I registered for the workshop and will report in this blog what I hear and learn.