After a Health Breach, How Much Protection is Enough?
Troy (Ala.) Regional Medical Center has notified 880 patients of a data breach that includes names, addresses, dates of birth, medical record numbers and Social Security numbers. There are strong indications that an identity theft ring was behind the breach, yet the hospital is offering affected patients only one paid year of identity protection services.
Troy (Ala.) Regional Medical Center has notified 880 patients of a data breach that includes names, addresses, dates of birth, medical record numbers and Social Security numbers. There are strong indications that an identity theft ring was behind the breach, yet the hospital is offering affected patients only one paid year of identity protection services.
Obviously, financial considerations have to come into play as a health care organization tries to recover from a major breach of protected information, and Troy Regional is a 47-bed facility without a ton of resources. But while the hospital hasn't responded to a request for additional comment, there also are indications that the breached information was on paper, so the incident could have been an inside job.
I think a treasure trove of demographic information plus Social Security numbers quite possibly in the hands of an identity theft ring would give any organization no alternative but to offer a more comprehensive protection service. And the Department of Health and Human Services' Office for Civil Rights, which investigates all major breaches, might agree.
In a recent interview with Health Data Management for a breach story in our August issue, Susan McAndrew, deputy director for health information privacy at OCR, declined to say the office mandates credit/identity theft protection services be offered when certain information has been compromised. But she noted that such services are becoming the industry standard and makes clear it's expected. "Because it is such a standard, it is something we would look at with the covered entity to ensure proper remediation has been taken."
So, while Troy Regional Medical Center has decided that one year of identity protection services constitute "proper remediation," OCR will have the last call. And if the office doesn't think so, and maybe gets complaints from patients who also don't think so, the office may conduct a deeper investigation of the breach and its resolution than they normally would have. And that could make final costs for the hospital higher than if they had offered a stronger protection package in the first place.
What do you think? Is Troy Regional offering enough protection?
Obviously, financial considerations have to come into play as a health care organization tries to recover from a major breach of protected information, and Troy Regional is a 47-bed facility without a ton of resources. But while the hospital hasn't responded to a request for additional comment, there also are indications that the breached information was on paper, so the incident could have been an inside job.
I think a treasure trove of demographic information plus Social Security numbers quite possibly in the hands of an identity theft ring would give any organization no alternative but to offer a more comprehensive protection service. And the Department of Health and Human Services' Office for Civil Rights, which investigates all major breaches, might agree.
In a recent interview with Health Data Management for a breach story in our August issue, Susan McAndrew, deputy director for health information privacy at OCR, declined to say the office mandates credit/identity theft protection services be offered when certain information has been compromised. But she noted that such services are becoming the industry standard and makes clear it's expected. "Because it is such a standard, it is something we would look at with the covered entity to ensure proper remediation has been taken."
So, while Troy Regional Medical Center has decided that one year of identity protection services constitute "proper remediation," OCR will have the last call. And if the office doesn't think so, and maybe gets complaints from patients who also don't think so, the office may conduct a deeper investigation of the breach and its resolution than they normally would have. And that could make final costs for the hospital higher than if they had offered a stronger protection package in the first place.
What do you think? Is Troy Regional offering enough protection?
More for you
Loading data for hdm_tax_topic #reducing-cost...