Reassuring Victims of BreachesRecent Breach Incidents Offer Important Lessons
The healthcare organization announced it would offer all affected individuals one year of free credit monitoring and identity theft protection. Unfortunately, far too many other organizations, including the TRICARE military health program, that have experienced major breaches that have put Social Security numbers and other personal identifiers at risk have chosen not to offer credit protection.
In addition, Nemours, rather than merely making vague pledges to take steps to improve its security practices - as is common in so many breach announcements - spelled out specifics. It announced plans to "move toward encrypting all computer backup tapes" and to move all non-essential backups to secure off-site storage.
As your organization considers its breach notification policies, be sure to spell out the process you'll use to determine whether to offer free credit monitoring.
In contrast, TRICARE, whose business associate, Science Applications International Corp., was responsible for a breach affecting 4.9 million of its beneficiaries, said in its statement that the two organizations were "reviewing current data protection security policies and procedures to prevent similar breaches in the future." TRICARE also said "the incident continues to be investigated and additional information will be published as soon as it is available."
Unencrypted Backup Tapes
Both the Nemours and TRICARE incidents involved unencrypted backup tapes. While a locked cabinet containing backup tapes is missing from a Nemours facility, the TRICARE incident involved the theft of unencrypted backup tapes from the car of an SAIC employee.
We should note that the Nemours incident, involving patient billing and employee payroll data, included "direct deposit bank account information" in addition to Social Security numbers and other information, so offering free credit protection was clearly the right move. In contrast, the TRICARE/SAIC incident did not involve any financial data, so perhaps the decision to offer credit protection wasn't as clear-cut. Although we don't know all the details about the incident, TRICARE acknowledged that the stolen tapes may include names, addresses and Social Security numbers. And it would appear that's enough information to potentially support identity theft.
We're still hoping that TRICARE and SAIC eventually will offer free credit protection, if not to all 4.9 million of those affected, at least to those whose Social Security numbers were on the tapes.
We're also hoping that TRICARE will eventually spell out, in much greater detail, whether they'll encrypt all backup tapes and take other specific security steps to prevent similar incidents. An SAIC spokesman said government officials were in the process of "seeking a compliant encryption solution that would work with the operating system [used to perform the backup onto tape] when the backup tapes were taken." TRICARE and SAIC should provide updates on that effort. HealthcareInfoSecurity's new Healthcare Information Security Today survey, completed in September, found that only half or organizations have a detailed plan in place to comply with the HIPAA breach notification rule. And only half of those have conducted a test to see if their breach incident response plan will work in a real breach situation. (Look for complete results of the survey in the weeks to come.)
As your organization creates or updates its breach notification policies, be sure to spell out the process you'll use to determine whether to offer free credit monitoring. And work with your marketing department to make sure any post-breach statements will spell out as many relevant breach prevention details as soon as possible. After all, a breach can be very damaging to your organization's reputation. And patients want reassurance that their privacy is being protected.