Only 10% of healthcare leaders in a recent survey indicated their organizations would notify patients in the event of a data breach affecting them, but 56% of those respondents whose organizations actually had experienced a data breach indicated their patients were notified of the security lapse.
This according to a report issued Tuesday by HIMSS Analytics, a data-analysis unit of the Chicago-based Healthcare Information and Management Systems Society and Kroll Fraud Solutions, a unit of Kroll Inc., which is a wholly owned subsidiary of Marsh & McLennan Cos., New York.
The report was based in part on a survey of 263 healthcare industry sources—including information technology professionals (50%), health information management professionals (21%) and chief security officers (12%)—that was conducted by phone in January. Only one respondent per organization was allowed to participate.
Of them, 13% indicated there had been an actual security breach at their organization in the prior 12 months. Most commonly compromised were the patient’s name (65%) and “high level patient information, such as diagnosis,” (62%) the report said.
The authors note that “loopholes” in current federal privacy and security rules, including the Health Insurance Portability and Accountability Act of 1996, the Sarbanes-Oxley Act of 2002 and others “have enabled breach cases to go unreported, preventing an accurate report on frequency.”
But that period of grace is ending.
State legislatures are expected to once again follow the lead of California in the privacy and security area by mandating that data security breaches involving healthcare information become reportable events, the report said.
Since July 2003, California law has required that any government agency, person or business that maintains computerized data “shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is, reasonably believed to have been, acquired by an unauthorized person.”
Under the 2003 law, personal information was defined as a person’s Social Security number, driver’s license number or California identification card, as well as an account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account. Since then, about 40 states have passed similar data-breach notification laws.
Effective this January, however, California upped the ante, expanding the definition of personal information covered by its mandatory reporting law to include both medical information, such as a person’s medical history, treatment or diagnosis, mental or physical health condition; and what the law differentiates as “health information,” such as a person’s health insurance policy or subscriber number, application and claims history, as well as appeals records.
According to the HIMSS/Kroll report, recognizing that California regulations have inspired other states to introduce similar notification laws in the past, the enactment of a law extending reporting requirements to medical and insurance information “may reasonably be viewed as a harbinger of changes to come across the country.”
Under the new California law, “Virtually any loss or compromise of patient data will require patient notification,” the report said.
Medical information, it said, “is the most valuable and content-rich for fraudulent use and profitability.”
“In addition to name, Social Security number and date of birth (the golden combination), records in these facilities also contain mailing address, insurance policy information, medical history, and, in some cases, credit card and financial information to expedite billing and payment—more data in one record than those of any other source such as banks, schools or HR departments,” the report said.