News of the Day ... In Perspective12/22/2006
Lost patient data has cost Providence $7 million so far
A year and $7 million after backup tapes, with information on 365,000 patients, were stolen from an employee’s minivan, Providence Health & Services is still mired in the aftermath.
Companies never know when liability from stolen data will end, according to Kroll, a firm that helps manage security risks. Creditors may fail to correct the victims’ records, or the stolen data keeps getting resold and reused.
“You can’t stop the data from getting out. You just can’t,” said security researcher Alan Paller.
One use of stolen data is to submit fraudulent Medicare claims. Federal prosecutors allege that $2.8 million in false claims were based on a printout of information on 1,100 patients that a Cleveland Clinic receptionist gave to a relative.
Medical data is vulnerable at each hand-off. “As soon as [data] ends up at other organizations, it’s out of your control,” stated Paul Stamp, a security analyst at Forrester Research. “Yet if there’s a problem, it’s the primary doctor or insurer who gets the blame.”
Providence is providing patients with at least a year of free credit monitoring, and has promised free credit restoration unless it can show that the stolen data did not cause the patient’s problem. It has produced more than 60,000 pages of documents in a class-action lawsuit.
The FBI is predicting “a crime wave of health-care fraud, identity theft and cybercrime.” In the past year, the average cost per data breach has reached $4.8 million. The FBI estimates that U.S. businesses are losing $67.2 billion annually because of computer-related crimes. Since February 2005, 93.8 million personal records have been reported lost or stolen.
More than 90 percent of data breaches in the last year were in digital form; only 9 percent involved paper records. Some 40 percent of publicly disclosed security breaches were caused by hackers or insider access, specifically targeting sensitive personal information (Deborah Gage and Kim S. Nash, “Case Dissection: Serious Pain,” Baseline, December 2006).