There is no doubt that the U.S. Department of Defense knows a lot about the value of securing sensitive information and how to do so properly. There is no doubt that Defense encrypts a ton of sensitive information.

So, how could Defense not make absolutely certain that TRICARE, the insurer for the military health system, was encrypting Social Security numbers and other protected health information on millions and millions of people? Answer: It wasn't a priority for Defense or TRICARE. A month ago, TRICARE announced that subcontractor Science Applications International Corp. reported the theft of unencrypted backup tapes on 4.9 million military health system members, and that just would not have happened if optimal security for PHI had been a priority.

Anyone who has looked at the Defense budget knows the department can't plead poverty, so cost wasn't a factor in not ensuring military health system contractors and subcontractors encrypt protected health information. TRICARE and SAIC aren't poor, either. It comes down to willful neglect.

And what was TRICARE's response to the breach? It sent out millions of letters to affected patients telling them how committed they are to security and how sorry they are about the incident. But they aren't sorry enough to offer free credit and identity protection services for one or two years, which is quickly becoming the industry norm, especially when Social Security numbers are potentially compromised.

TRICARE said the risk of harm is low because retrieving data would require knowledge of and access to specific hardware and software, and knowledge of the system and data structure. That's what everyone with compromised tapes says, but there are a lot of tapes and a lot of breaches of tapes and there's probably a lot of people who know how to get the data off tapes. Do people steal tapes for any other reasons than they don't know what's in the box they're taking or they want to access the data?

The Department of Health and Human Services' Office for Civil Rights investigates all major breaches of protected health information and requires a corrective action plan by the offending entity. And while encryption isn't mandated, OCR has acknowledged that encryption often is part of the corrective action. It's a good bet TRICARE will be implementing encryption technology soon if it isn't already.

But what about the 4.9 million patients left unprotected except for some advice on personally safeguarding their credit and identity and a "sincere" apology from TRICARE? Well, some of those patients have sued TRICARE and Defense for $4.9 billion--$1,000 for each affected patient. Settling that suit could cost far more than proactive encryption would have.

I strongly suspect HHS/OCR will make sure TRICARE offers credit and identity protection services. Asked if OCR has ever closed a breach investigation involving Social Security numbers without insisting that such services be offered, Susan McAndrew, deputy director for health information privacy responded:

"It is fairly standard practice in breaches of this size, where key identifiers such as SSN have been compromised, for the entity to offer credit monitoring services. However, the statute does not mandate credit monitoring services or any other specific mitigation measures be offered by the covered entity. The notice sent to individuals to inform them of a breach is required to include steps the individual may take to protect themselves from potential harm due to the breach and a description of what the covered entity is doing to mitigate the loss of the data. The adequacy of the covered entity's response to the breach would be measured in its totality on a case by case basis."

It comes back to willful neglect, which is a big factor when OCR cracks the whip. So, I'm not worried TRICARE/Defense will get off without encrypting or providing protective services. But if OCR wants to really send a message to the industry--including the government's vast health plans--a record-setting fine would do the job.

 

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access