This organization's post-breach response has been disappointing. First, some background. Weymouth Massachusetts-based South Shore Hospital (SSH) announced in July a data breach that affected 800,000 patients (and former patients), including patients also at Harbor Medical Associates and South Shore Physician Hospital Organization. The computer files in that breach contained patients' medical and financial information that was not encrypted. Encryption is preferred because it makes it difficult for identity thieves to access and use stolen information.
During July, the hospital also posted a sample breach notification on its website. The good news: that sample notification provided instructions for breach victims to protect themselves and their sensitive personal/medical information. The bad news: breach victims will learn this only if they heard or read about it in various news reports, blogs (like this one), or visited the hospital's website. SSH did not notify breach victims directly.
Earlier this month, in a statement at its website SSH announced the completion of its breach investigation. SSH engaged Huron Consulting (PDF document with investigation report) to assist with the breach investigation. In a statement about the breach investigation, SSH:
"... concluded that there is little to no risk that information on the files has been or could be acquired, accessed or misused based on the following key investigation findings: The back-up computer files were stored on unmarked computer tapes that were packed in three sealed boxes... South Shore Hospital, the private investigation team, and Ohio-based R+L Carriers – the company that transported the files for offsite destruction – conducted multi-state searches for the two missing boxes... two boxes of computer tapes are believed to have been disposed of in a secure commercial landfill that R+L Carriers uses to dispose of unclaimed materials and are therefore unrecoverable... Even if the computer tapes were found, Huron’s experts have concluded that specialized equipment, proprietary software, sophisticated knowledge, time and financial resources would be required to access, aggregate, interpret and ultimately use information on the files."
To summarize, three companies, including the one that originally lost the computer tape shipment, looked high and low for the lost/stolen shipments. The believe that it ended up in a secure landfill. And breach victims are supposed to believe that this is okay.
What? Believing a thing does not make it so. After three years of writing this blog, I have learned that identity thieves are persistent and creative. Does SSH really believe that criminals won't open sealed boxes. Does SSH really believe that identity criminals wouldn't be curious about what is on unmarked computer tapes? SSH's above statement stretches believability and insults consumers' intelligence.
Plus, "little to no risk" does not mean zero risk. What is "little risk?" Five percent, one percent, or half of one percent? Risk is personal. What one person considers risky another may not. Would you feel secure with a 5% chance that your sensitive personal and medical information could be abused and misused? Breach victims deserve better: to be directly notified and fully informed. Breach victims have the right to decide for themselves what risk they want to assume.
Plus, should identity thieves use the stolen information the risk is to the breach victims who will likely be the first to notice the problem on Explanation Of Benefits statements, when reading their medical records, or when accessing health care services. I find the part about "specialized equipment, proprietary software, sophisticated knowledge, time and financial resources" debatable since identity criminals regularly develop and distribute sophisticated computer viruses, phishing emails, and phishing websites. The continual flood of phishing scams indicates that scammers around the planet make money with identity theft and fraud. If they didn't make money, the phishing scams would stop.
Stricter data security regulations went into effect in Massachusetts in March. Moreover, Massachusetts' 2007 breach notification law requires organizations to notify breach victims individually, with this exception for "substitute" notification:
"... if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice."
Apparently, the hospital is using "substitute" notification for its breach response: notices at its websites and in newspapers. More likely, the hospital is trying to minimize total post-breach costs, which usually include notification, legal fees, fines, and complimentary credit/medical monitoring services.
The Massachusetts Attorney General's office issued this response about SSH's decision not to notify breach victims individually:
"The Attorney General’s Office has objected to South Shore Hospital’s revised notification plans and maintains that affected consumers should receive individual notification as originally represented by South Shore Hospital in its prior public announcements concerning the data loss. The Attorney General’s Office will continue to monitor and investigate South Shore Hospital’s actions..."
I wonder what breach victims (e.g., patients and former patients) think of SSH's post-breach response. Other hospitals and health care organizations (e.g., AvMed and BC/BS of Tennessee) notified their breach victims individually and provided complimentary credit/medical record monitoring services. Insurer Health Net chose not to notify its breach victims and was investigated by several states' attorney general offices.
Prior research indicated that data security at hospitals is poor. It seems to me that breach victims want SSH to demonstrate with its actions that it is doing everything to protect their sensitive personal and medical information. That includes both effective data security methods to prevent breaches, and helping patients protect themselves after a data breach. After all, the breach was SSH's fault (via an outsourced vendor) and not the patients' fault.
A comprehensive and consumer-friendly breach response means doing more than the legal minimum. SSH's post-breach seems like the hospital is cutting corners. If the hospital cuts corners here, I wonder where else it cuts corners in its operations and data security. Knowing all of this, would you go to SSH for health care?To learn more about these breach notification and related medical data security issues in general, there will be a workshop Tuesday September 21 about HIPAA, HITECH and the new Massachusetts data security laws that became effective in March 2010 (e.g., MA 201 CMR 17). The workshop, sponsored by Sophos and the Mintz Levin law firm, will discuss related compliance, legal, technology, and security issues with medical information. Scheduled speakers include representatives from the Ponemon Institute, Mintz Levin, Sophos, and MFA Cornerstone Consulting.
This workshop seems especially appropriate and timely given the SSH data breach and the hospital's post-breach response. I registered for the workshop and will report in this blog what I hear and learn.