Last March the Ponemon Institute released its findings for the 2010 Annual Study: U.S. Cost of a Data Breach. The study -- based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors -- revealed that data breaches grew more costly for the fifth year in a row. They jumped from $204 per compromised record in 2009 to $214 in 2010.
The increase in cost, however, pales in comparison to the reputational cost of companies that have been victimized, particularly in the healthcare sector.
Consider that the U.S. Department of Health and Human Services has begun posting the data breaches affecting 500 or more individuals as required by section 13402(e)(4) of the HITECH Act. The New York Times has labeled this site "The Wall of Shame". Why? Because if patients have no faith in electronic record-keeping, the future of healthcare record automation will be jeopardized: Law suits and government regulation will bury any cost-savings.
What are the stories behind the most severe healthcare sector data breaches reported in 2010? Here are the ten most expensive stories, in ascending order of cost, documented in the Privacy Rights Clearing House database. While they're sober reminders of the problem of keeping data secure, they're also instructive: none of these breaches were malicious hacks, but were instead the results of theft, poor record-keeping policies, and simple human error.
(Note that the estimate of liability uses the $214/ record cost identified by the Ponemon Institute in its annual report. We have purposely not published the names of the reporting institutions.)
On June 29th of 2010 a thief stole four computers from a physician specialist's office in Fort Worth, Texas. This theft resulted in an estimated 25,000 patient records being exposed. The patient records contained addresses, Social Security numbers and dates of birth. Estimated liability: $5,350,000.
On the weekend of May 22nd, 2010 two computers were stolen from a medical center in the Bronx. Names, medical record numbers, Social Security numbers, dates of birth, insurers, and hospital admission dates of patients were known to be on the computers. Total records compromised: 39,000. Estimated liability: $8,346,000.
A computer stolen from an Optometry office in Santa Clara, California on Friday April 2nd, 2010 contained patient names, addresses, phone numbers, email addresses, birth dates, family member names, medical insurance information, medical records, and in some cases, Social Security numbers. Though the files were password protected, they were not encrypted. A total of 40,000 records were lost, with an estimated liability of $8,560,000.
Medical records were found at a public dump in Georgetown, Massachusetts on August 13th, 2010. The records contained names, addresses, diagnosis, Social Security numbers, and insurance information. A medical billing company that had worked for multiple hospitals was responsible for depositing the records at the dump. The exposure required the hospitals to notify patients - an effort that continues to this date. The total number of records known to have been exposed is 44,600, but the search continues. Estimated liability: $9,544,400.
On March 20th, 2010, in Chicago, Illinois, a contractor working for a large dental chain found his laptop stolen. The computer held a database containing the personal information of approximately 76,000 clients, including first names, last names and Social Security numbers. Estimated liability: $16,264,000.
On June 30th, 2010 a medical center in the Bronx reported that it had failed to receive multiple CDs containing patient personal information that was sent to it by its billing associate. These CDs were lost in transit. Information of 130,495 patients included the dates of birth, driver's license numbers, descriptions of medical procedures, addresses, and Social Security numbers. Estimated liability of $27,925,930.
In Westmont, Illinois, a medical management resources company reported on May 10, 2010 that a portable hard drive had been stolen after a break-in. The company believes the hard drive contained personally identifiable information about patients including name, address, phone, date of birth, and Social Security number. The company acknowledged that this hard drive had no encryption. As a result, 180,111 records were exposed, creating an estimated liability of $38,543,754.
On April 10th, 2010 a New York managed care service in the Bronx reported that it was notifying 409,262 current and former customers, employees, providers, applicants for jobs, plan members, and applicants for coverage that their personal data might have been accidentally leaked through a leased digital copier. The exposure resulted because the hard drive of the leased digital copier had not been erased when returned to the warehouse. Estimated liability: $87,582,068.
The theft of 57 hard drives from a medical insurance company's Tennessee training facility in October of 2010 put at risk the private information of an estimated 1,023,209. customers in at least 32 states. The hard drives contained audio files and video files as well as data containing customers' personal data and diagnostic information, date of birth, and Social Security numbers, names and insurance ID numbers. That data was encoded but not encrypted. Estimated liability to date: $218,966,726.
A Gainsville, Florida health insurance company reported in November of 2010 that two stolen laptops contained the protected information of 1.2 million people. This is an on-going story, as new estimates are calculated. To date, the estimated liability is $256,800,000.
These cases document that the majority of the data breaches which occurred in 2010 were not the result of hacking activities, or even unauthorized access by personnel. The greatest data losses were simply the result of computer theft of portable devices and misplaced media. Had the contents of the files been encrypted, this could have significantly reduced the risks and liabilities of these data losses.
Time and time again, industry experts point to data encryption as the key method by which organizations can prevent inadvertent exposure of sensitive data.
Of course, no healthcare organization wants to be listed on the US Department of Health and Humans Services' Wall of Shame. And the costs - in dollars and in reputation - can be extraordinary.
Isn't it about time your management got serious about data encryption?