Commentary: When it Comes to Data Breaches, Silence Not a Winning Strategy

Banner Health in Arizona recently suffered a serious breach of protected health information after sending copies of its twice-yearly Smart & Healthy magazine to 50,000 beneficiaries of the Medicare Pioneer Accountable Care Organization in Maricopa County.


Banner Health in Arizona recently suffered a serious breach of protected health information after sending copies of its twice-yearly Smart & Healthy magazine to 50,000 beneficiaries of the Medicare Pioneer Accountable Care Organization in Maricopa County.

The problem was that recipients’ Social Security or Medicare numbers were on the address label. Affected patients have been notified, as has local media. Independent Newspapers Inc., which covers several regions in the state, reported that Banner is offering beneficiaries free credit monitoring services.

The HIPAA breach notification rule requires notification to local media for incidents affecting 500 or more individuals. Some local reporters will call looking for more information and it’s a good idea to respond to local press; ignore them and they may ignore you when you want publicity for something nicer than a breach.

But Banner Health and other covered entities need not notify outside media outlets of breaches, and outside reporters calling are ignored most of the time. Health Data Management left a message for Bill Byron, vice president of public relations at Banner, asking for more information about the breach and protective services (ID theft resolution?), but he did not respond. There is no notice of the breach on Banner’s Web site, and there was no such notice on Feb. 24, which is about the time that local media were being notified, PHIprivacy.net reported on that date.

Like many organizations with a breach, Banner appears to be doing only what it absolutely must do under the breach notification rule, which is its right. But often, organizations with a breach are trying to hide it as best they can and the head-in-the-sand attitude might not be the best strategy as the HHS Office for Civil Rights expands its HIPAA privacy audit program this year and continues to investigate breaches as they are reported. Further, health consumers hopping on an organization’s Web site to get more details on a breach probably aren’t impressed when they find nothing at all--like it never happened.

Another reason to be forthcoming is that breaches often have common underlying causes … a software security flaw, a broken link in information exchange or some other security weakness that the industry could learn from.

In the Banner breach, for example, there were several areas where a security breakdown could have happened. The Arizona Republic reported that Banner got its mailing list from the Centers for Medicare and Medicaid Services, and CMS and Social Security Administration officials were investigating how the SSN and Medicare numbers could have been put on the labels, but had no further comment.

The veil of silence over health care data breaches isn’t helping: Security firm Redspin Inc. recently reported that health data breaches are getting bigger as more patient information is automated. The industry saw about the same number of large beaches reported in 2012 and 2013, but twice as many patients were affected in 2013.

For a feature story in the March issue of Health Data Management about what to do next following a breach, at least 15 organizations were contacted and four responded. Each respondent had to be cajoled to some degree; they wanted to participate and educate their peers but were hesitant. In the end, each organization concluded it was the right thing to do--with one even deciding not to notify their attorney. During each interview, it became evident that the philosophy of doing right by patients clearly governed how they responded to and resolved their breaches. They weren’t being thrown softballs during the interviews, and each one--Ministry Health Care, Saint Francis Hospital and Medical Center, vendor HealthPort and orthopedic surgeon Steven Imrie in San Jose--came out looking like a responsible organization and smarter because of the experience.

More for you

Loading data for hdm_tax_topic #reducing-cost...