When a data breach happens, existing policies and an effective action plan can be deciding factors in whether a healthcare organization will be able to avoid a substantial fine. That was the message delivered by Micky Tripathi, founding president and CEO of the Massachusetts eHealth Collaborative (MAeHC), on Dec. 13 at the Healthcare IT News Privacy and Security Forum in Boston.
Tripathi is no stranger to privacy and security issues in health IT. He helped launch the Indiana Health Information Exchange and is chair of the eHealth Initiative and co-chair of the Information Exchange Working Group, which provides recommendations to the federal government regarding HIE requirements.
In 2011, however, Tripathi found himself in unfamiliar territory after an unencrypted MAeHC laptop containing 14,475 patient medical records was stolen from an employee's locked car. Having survived the process of notifying patients, contacting attorneys, changing policies and working to rectify the situation transparently, Tripathi noted that no one is immune from data breaches. However, one can be immune from much of the nasty aftermath depending on how it’s handled.
"We're actually in this business. We even provide policy guides at the federal level," Tripathi told the forum audience. "So the suit was no small embarrassment that we found ourselves in the position of having made some critical mistakes with respect to how we were handling data and policies within our organizations."
Nonetheless, MAeHC's transparent handling of the data breach helped the group avoid any fines, which Tripathi had initially been worried about. He cited other groups in Massachusetts that weren't so lucky. Massachusetts General Hospital, for instance, received a $1 million fine from the Office of Civil Rights for a breach of 192 patient records, and South Shore Hospital was slapped with a $750,000 fine from the Massachusetts Attorney General's Office for a breach involving some 800,000 patient records.
Taking a lighthearted approach to reflection, he likened the experience to going through the Kubler-Ross stages of grief. The first step was denial, which was, "It wasn't our employee. It couldn't have been. Definitely wasn't our laptop," he said jokingly.
The next step was anger, asking, "How could they do this? Don't they understand what our policies are? How could that person steal something? Don't they understand that's personal property? What kind of country do we live in?" he said to a laughing audience.
And then of course bargaining: "Do we know anyone at the attorney general's office? Maybe we can say, 'Look, we're just a non-profit.'"
After the depression finally sunk in, MAeHC moved to acceptance. "We tried to be very transparent about everything we did," Tripathi said. In addition to the legal responsibilities, "we [had] a certain ethical responsibility," he added. "We came clean with the whole thing…we were standing up for our mistake."
Despite not getting slapped with state or federal fines, MAeHC did pay up. The total costs of the data breach calculated to $228,808, which is no nominal number for a non-profit. Tripathi said $150,000 of that went to legal fees, and more than $6,000 went to credit monitoring for patients.
What did they learn? The importance of encryption, clear policies and employee responsibility, he said.
Although MAeHC was in the process of encrypting all company laptops, at the time of the theft, "the laptop wasn't encrypted. The files weren't encrypted individually. This was a big miss from a management perspective."
Ultimately, Tripathi said he wanted MAeHC's experience of the often-indiscriminate nature of data beaches and the subsequent proper way to respond to serve as a "learning opportunity for the industry."