Breach Notification: Lessons LearnedA privacy officer shares real-world experiences
John Muir Health, a Walnut Creek, Calif.-based two-hospital system, notified federal regulators, the media and nearly 5,500 patients of a breach following a burglary at a perinatal clinic. Thieves took two unencrypted laptops plus a variety of other electronic equipment. So far, law enforcement officials haven't solved the crime, nor have they gotten reports of fraud related to the theft.
Based on its experience with breach notification, Hala Helm, John Muir's chief compliance and privacy officer, advises other healthcare organizations to:
- Be conservative when determining whether an incident involves significant risk to patients, erring on the side of reporting the breach even if risk seems relatively minimal;
- Hire an outsourcing firm to help speed the mass mailing of alerts to patients;
- Cast a broad net when notifying the media and make executives available for interviews;
- Conduct ongoing training of staff on privacy and security matters; and
- Be sure to encrypt laptop devices.
Under the breach notification rule, health care organizations must determine whether a particular data security breach presents "significant risk" of harm and thus needs to be reported. This "harm threshold" has proven controversial because it means federal regulators are largely leaving it up to healthcare organizations to determine if they need to give notification of a breach.
Determining the risk posed by a breach incident is extremely challenging, Helm says. But when in doubt, she says, it pays to keep patients well-informed.
"We enjoy a very favorable position in our community. Although we felt that the risk to patients from this incident was very low, and it was not attributable to our negligence, we didn't want to do anything to jeopardize our relationship with our patients. So we took a conservative approach."
The laptops were stolen after business hours from a locked third floor office in a locked building with a security guard on duty and disabled elevators. And the patient information on the devices was within clinical applications "that would take specialized knowledge" to access, Helm says.
As a result of the "harm threshold" provision in the breach notification rule, healthcare organizations must "create a well-defined risk analysis process" to help them determine what breaches to report, says Tom Walsh, president of Tom Walsh Consulting LLC, an Overland Park, Kan.-based firm specializing in healthcare data security issues. "Now is the time to get that done."
Getting outside help
Once it decided to report the incident, the hospital hired an outsourcer to handle the timely mass mailing to patients, which offered them a year's worth of free ID theft protection to help build goodwill. "We outsource all our mass mailings anyways," Helm notes.
Ben Drew, who handles media relations for John Muir Health, took the lead role in drafting the language in the letters, which was reviewed by attorneys. "You must have a good media relations person draft the press release and the letters," Helm says. "Putting them in a format that's polished and easy for people to understand is key."
Rather than send a press release to one media outlet, John Muir Health sent it to all area newspapers, television stations and even a local business journal. "We tried to cast a net widely enough so that people would hear about it," says Helm, who did several TV interviews.
Although the organization alerted affected patients to the nature of personal information stored on the devices, it did not reveal details to the media. John Muir Health's attorneys told federal regulators they didn't want to publicize the nature of the information because the breach involved an ongoing burglary investigation, and regulators agreed, Helm says.
A cross section of staff members, from IT to marketing to senior executives, was involved in the breach notification planning. At the time of the incident, however, the organization had not yet updated its breach reporting plan, originally designed with California state regulatory requirements in mind, to reflect the new HITECH requirements, Helm acknowledges. It's in the process of beefing up its plan to include more details on such aspects as notifying the media and federal authorities.
The incident provided a "teachable moment" to remind staff members about the importance of safeguarding privacy. Plus, the organization conducts annual training on privacy and security policies as well as year-round updates. "I'm constantly going to departmental meetings to talk about this issue. We are always reminding people about the importance of this."
At the time of the incident, John Muir Health was in the process of encrypting all its laptops, based on a risk assessment. The devices taken in the burglary had not yet been encrypted, Helm says, because they were perceived to pose a low risk, especially compared with laptops used by home health nurses or traveling executives.
Since the burglary, the organization has encrypted all laptops, which are now bolted to desktops, at the perinatal office. And it's continuing to encrypt devices throughout the enterprise.
The breach notification rule contains a "safe harbor" that exempts organizations from reporting breaches if the health information involved is encrypted in a specific way.
The total cost of coping with the breach was in the tens of thousands of dollars, Helm says, or less than the deductible amount on the organization's liability insurance, which likely would have covered higher breach expenses.
Based on her experience, Helm offers two other pieces of advice:
- Conduct a "fire drill" for a breach incident to run through how to conduct a risk assessment to measure the potential harm involved and figure out how to determine what information is stored on a particular device.
- Make sure all staff members, as well as board members, know all the details of an incident before reporting it to the media. "I cannot overemphasize the role of communication in all of this."