How much could a breach of protected health information (PHI) cost your organization? How about more than $7 million?
Cost of a PHI Breach
That’s how much Connecticut-based Health Net doled out to private investigators in 2010 to get to the bottom of a PHI breach involving the confidential patient medical records and financial information of more than 446,000 Connecticut enrollees. Specifically, a portable hard drive had been lost and with it, more than 27 million scanned pages of hundreds of documents, including insurance forms, membership forms, correspondence and medical records.
Investigators found that none of the data on the hard drive was encrypted to prevent unauthorized persons from gaining access. In failing to do its due diligence, Health Net violated numerous HIPAA regulations and put hundreds of thousands of unsuspecting customers at risk for fraud and identity theft.
PHI Breaches Can Be Avoided
Health Net agreed to pay a $250,000 fine to settle the loss and agreed to a corrective plan of action to protect their enrollees’ health information. Here are just a few of the steps Health Net took to make amends:
- The company completed the encryption of all laptop and desktop hard drives
- Health Net instituted increased IT oversight and assigned an Information Security Analyst to each new IT project
- The company provided all new employees with one-sheets detailing PHI policies and procedures
- Health Net agreed to hold an annual “Compliance Awareness Week” to alert employees to the importance of protecting the privacy and security of PHI
Obviously, had Health Net taken these actions on the front end, the PHI breach might have been avoided, saving the company millions of dollars and irreversible public embarrassment. Still, the company’s missteps should serve as a warning to all healthcare organizations about the importance of having some type of eSecurity system in place to avoid PHI breaches.
What steps or actions would you implement to protect your company from a similar PHI breach?