Within the past two weeks, another new data breach involving identifiable protected health information (PHI) has emerged. This time, the breach occurred at the Martin Luther King Jr. Multi-Service Ambulatory Care Center in Los Angeles. According to media reports and the Privacy Rights Clearinghouse, in this case, a janitor at the care center removed 14 boxes of patient records and sold them to a recycling center. The records had names, genders, dates of birth, addresses, medical record numbers, and financial batch numbers on them, and involved patients who had accessed services at the ambulatory care center between January and October of 2008. Those patients affected received notices of the breach last week.
This was the thirteenth healthcare-specific data breach documented by the Privacy Rights Clearinghouse in the past month. What’s more, a quick glance at that organization’s website shows that some of the most prestigious and respected healthcare organizations in the country are on that breach list, along with state and local governments, universities, manufacturers, life insurance companies, and grocery store chains. And don’t forget some spectacular recent breaches that have affected the Pentagon and other organizations.
It’s no wonder healthcare CIOs are scared out of their wits these days; this kind of thing is now virtually routine. What’s especially interesting in this particular case is that it appears the breach involved was unintentional and unconscious; an employee simply wanted to make money off recycling paper documents. The fact that paper was involved is also interesting, because as much as CIOs are (rightly) focused on the tremendous potential for electronic breaches of patient data, in this case, clearly, piles of paper were just sitting around at a patient care facility waiting to be misappropriated.
The fact is, breaches of the security and privacy of patient data are incredibly likely these days. And experts are telling us that it’s likely a matter of when, and not if, the next breach takes place at your organization.
My sense, from talking with the experts in this area, is that rather than believing we can totally prevent any breaches, the more realistic approach is to consider where and under what circumstances the most likely breaches might occur, and to carefully tailor one’s strategic data security plan accordingly. Sadly, statistically speaking, the greatest chances of a data breach are generally internal (though with many possible exceptions). Not surprisingly, then, a well-developed strategy that takes advantage of the latest in access monitoring and audit trails is likely to be one of the more successful of strategies. At the same time, as the recent Los Angeles example attests, it’s clear that the chances of paper-based breaches remain high as well, and no data security plan should ignore that sphere.
I’d be very interested to hear from readers on this broad, critical topic. We certainly will continue to cover multiple aspects of this issue going forward. In that regard, please make sure to check out Managing Editor John DeGaspari’s important feature on data security breaches in the October issue of the magazine, beginning on p. 32. John talks with CIOs and industry experts about some of the latest learnings and trends in this critical area.