The tapes were recovered a month later and authorities believe the data they held was not accessed by the petty thieves who broke into a courier's car and made off with them. Almost comically, the thieves, not knowing what they contained, tried to view the tapes using a VHS player, according to police reports.
But the damage had been done. And two years later, UUHC is still feeling the pain as it finds itself embroiled in lawsuits with business partners and tries to recoup the huge costs of responding to the data theft. The state-owned but self-sustaining health system provides an object lesson for hospitals hoping to avoid the same fate when electronic patient records are lost or fall into the wrong hands. Vigilance, due diligence, well-crafted contracts, data encryption and cyber insurance are all elements of a comprehensive data loss protection plan.
Eight days after the theft, UUHC went public. To its credit, the health system promised to notify every patient whose billing information were on the tapes and provide them with a free year of credit reporting.
The breach occurred before the breach notification rule mandated under HITECH Act went into effect.
The rule, which went into effect in September 2009, requires health care organizations that suffer a breach that affects more than 500 individuals to alert the local media and effected individuals, and report the breach to the Health and Human Services' Office for Civil Rights.
The OCR posts information on those breaches on a Web site accessible via www.hhs.gov/ocr/privacy/index.html. Notification, however, does not have to be made if the personal health information affected by the breach is encrypted or otherwise made "unreadable" by electronic means.
"The billing records included patient names, related demographic information and diagnostic codes. None of the records contained credit card information. Records for a subset of 1.3 million patients [later revised to 1.1 million] also contained Social Security numbers," UUHC said in a June 10, 2008 press release.
The decision to go public was not made lightly, though.
"That was big conversation internally," says UUHC spokesman Christopher Nelson. "We did a good job in communicating and offering some response so people felt we were taking this seriously."
Dealing with the damage
UUHC set up a third-party call center, sent out 2 million letters (originally it was believed 2.2 million records were stolen, but after the deceased and duplications were removed, the number was lowered), fielded 11,000 calls from worried patients and claimed it spent "6,632 personnel hours" on the matter.
"We did a whole lot of talking to patients and initially wanted to handle this [the call center] internally, but realized we couldn't. It was impossible to pull staff out of their regular jobs," adds Nelson.
Indeed, the decision to do the right thing was costly and now the hospital is trying to recoup the costs from its storage provider, Perpetual Storage Inc.
It was a Perpetual courier who kept the tapes overnight in his own vehicle, which the thieves broke into, according to police reports.
"We will use every means at out disposal to recoup the costs," says Nelson.
Perpetual's liability insurer, Colorado Casualty Insurance Company is refusing to pay UUHC's claim on the grounds that electronic data is not covered in the storage concern's policy.
Going to the courts
On April 9, Colorado Casualty filed a complaint for declaratory judgment, which asked the court to sanction its decision to not pay the claim.
On May 25, UUHC responded by suing Perpetual, its insurance agent and Colorado Casualty to recover its costs. The jurisdiction is U.S. District Court, District of Utah, Central Division.
Indeed, Perpetual's policy would indicate Colorado Casualty, which is owned by Liberty Mutual Insurance Company, has a credible argument, according to court documents filed June 18 by Colorado Casualty in U.S. District Court, District of Utah, Central Division. Colorado Casualty spokesman Christopher Goetcheus said the company would not comment for this story.
The documents suggest what data security experts already know: general liability insurance is a slippery slope when it comes to covering data loss.
"Ten years ago, we had not heard much about data security breaches. When they started to occur, company's turned to their general liability insurance and said "indemnify me," says data security expert Francoise Gilbert, managing director at the IT Law Group, a Palo Alto, Calif. firm specializing in data issues.
"The insurance companies say "hmm, this is not covered. What we cover is A, B and C and what happened to you is F. But in the past five to eight years, we've seen a number of insurance companies offer products specifically directed to that," Gilbert adds.
In its court filing, Colorado Casualty cites language from what it claims is Perpetual's policy.
At the outset, it says "We will pay those sums that the insured becomes legally obligated to pay as damages because of "bodily injury" and "property damage" to which this insurance applies."
Then come two these statements: the policy says that it covers "tangible property", excluding electronic data, meaning "computer software, systems and applications, tapes, CD-ROMs, and data processing devices or any other media which are used with electronically equipment." What's more, the policy says "We do not cover property in transit."
Perpetual attorney Steven McMurray of Fabian & Clendenin in Salt Lake City said his client disagrees with Colorado Casualty's position, but declined to discuss the details of his argument.
Be the first to comment on this post using the section below.