HIPAA Enforcement

 
 
By Kim S. Nash  |  Posted 2006-12-06
 
 
 

Laureen O'Brien, chief information officer of Providence Health & Services' Oregon region, was in her office, just back from the 2006 New Year's holiday. A phone call that Tuesday, Jan. 3, brought news that every CIO dreads. Someone had stolen a computer bag out of a systems analyst's car four nights before. Gone were 10 computer disks and tapes holding information on what would turn out to be more than 365,000 patients—everything from Social Security numbers and birth and death dates to diagnoses, prescriptions and insurance numbers. Data on doctors was missing, too, including Medicare and Medicaid numbers, state license numbers, names, addresses and phone numbers.

As noted by state Attorney General Hardy Myers, who would soon open an investigation, this was the biggest data breach ever reported in Oregon.

The incident also exposed Providence to a relatively unknown, costly and potentially dangerous variation of ID theft—medical ID theft. Here, thieves can use stolen information to obtain treatment in victims' names, corrupt their medical records and file false insurance claims.

People whose health records are stolen and falsified may get the wrong medical treatment, find their insurance exhausted or become uninsurable, says Pam Dixon, executive director of World Privacy Forum and author of a report, Medical Identity Theft: The Information Crime that Can Kill You. Medical ID theft "can affect your health and well-being," she warns.

The World Privacy Forum says 500,000 people may be victims of medical identity theft, based on numbers reported by the Federal Trade Commission in 2003. And the problem may worsen, especially as more and more health-care providers move from paper to electronic records, Dixon says.

Then there's the matter of cost—not just to the direct victims, but the businesses and health-care providers like Providence that incur financial and sometimes legal liability because of pilfered medical records.

Providence has spent $7 million so far responding to the breach. "This was not a cheap mistake," CIO O'Brien says.

"I didn't have gray hair before."

As one of the largest and most highly recognized health-care providers in the Pacific Northwest, Providence takes pride in using cutting-edge technology to improve patient care. In July, it announce d that one of its facilities, Providence Portland Medical Center, was among the "nation's 100 Most Wired Hospitals and Health Systems" named by Hospitals & Health Networks magazine. The award is based on using information technology to improve quality, satisfaction and patient care and reduce medical errors.

Providence serves five states, such as Oregon and Washington, and regional executives oversee local offices and their technology departments. At most facilities across the company, employees back up data daily to tapes and disks and send it off to be stored in a secured building, O'Brien says. But at the company's Home and Community Services unit in Portland, which cares for frail and elderly patients in their homes, employees took the backups home themselves, in their own cars, she says.

Now, 12 months later, the nonprofit medical provider finds itself mired in the consequences, in an ordeal that may continue for years. As patients worry that someone has messed with their finances or medical records—and as two of them press a negligence lawsuit against Providence in county court—Providence is fighting to save its reputation for reliability and trust.

In its scramble to respond to the New Year's theft, Providence hired NTI Data Forensics, a computer forensics and security company in Bellevue, Wash., to figure out exactly what data was lost. Providence sent two letters, one to notify patients of the theft and the second to offer free credit monitoring and restoration to protect their identities. Patients who lost financial data also got phone calls. The company also set up special call centers to answer questions; bought patients two years' worth of credit-monitoring and restoration services from Kroll, a New York-based firm that helps companies manage security risks; and contracted with business and technology solutions provider EDS to audit its security practices and suggest changes.

Providence's attorney, John McGrory, insists there are no verifiable cases of identity theft from the burglary, even though Providence doesn't know where the data is or who took it. The sheriff's office in Clackamas County, where the theft happened, has no suspects and has suspended its investigation.

"I'm not excusing it or the conduct of Providence or saying it's OK, but with the society we live in … [loss of personal data] is happening," McGrory told Judge Marilyn Litzenberger at a hearing in Multnomah County Court in Portland on Nov. 3. "It results in financial loss in a very infinitesimal percentage of times."

But others, including Kroll, which is working with Providence, say identity theft is a serious problem, a crime where people are combining stolen information to get jobs, housing, health benefits and—if they can avoid being detected by the credit bureaus—credit, all in someone else's name. "I believe there are more breaches for the purpose of identity theft every day," says Troy Allen, Kroll's chief fraud solutions officer. "It's an organized, violent felon crime where people know how to get access to large organizations."

Next page: HIPAA Enforcement: A Wrist Slap: A Wrist Slap">

HIPAA Enforcement: A Wrist Slap

When someone suffers credit card fraud, he or she can seek recourse through the Fair Credit Reporting Act, which provides safeguards such as the right to demand correction of their credit records.

Victims of medical theft aren't so lucky. Patient data is supposed to be protected by the Health Insurance Portability and Accountability Act (HIPAA), which regulates patient privacy and security all along the health-care chain, from a paper file sitting on a doctor's desk to a computerized medical records database. But violators of HIPAA have little to fear. Since the privacy rules went into effect in April 2003, there have been four prosecutions and no fines. A survey this summer by the Healthcare Information and Management Systems Society reports that 22% of health-care providers remain out of compliance with HIPAA privacy, and 44% with HIPAA security.

HIPAA is "pretty much a no-enforcement system," says Peter Swire, a law professor at Ohio State University and the White House coordinator for the HIPAA privacy rules during the Clinton administration. "Imagine some other area of law you care about and 20,000 at-bats and zero hits," he says, comparing the number of complaints—more than 23,000—with the number of fines.

Confidential medical information has become so available that in the last 10 months, patient records, documents on insurance benefits and passwords to medical server systems have turned up online, according to Howard Schmidt, a former cybersecurity adviser to the Bush White House who now runs a consulting company, R&H Security Consulting. He says targeted searches for keywords such as "hospital records" and "medical passwords," as well as for other sensitive information, are being conducted over peer-to-peer networks, which people use to share music and videos and sometimes, by accident or malicious action, their entire hard drives. Both medical and financial information are being aggregated and sold online, he says, although he doesn't know how buyers use the underground information.

In the Providence case, the patients' lawyers say they are right to feel afraid. In failing to protect their data, Providence violated the privacy of the doctor-patient relationship, a rule established in common law that goes back hundreds of years, said plaintiff attorney David Sugerman at the hearing last month. "Given the egregiousness of their handling of confidential patient information and the widespread impact of their conduct, you could argue it was reckless and even intentional," he told Judge Litzenberger.

In February, after Providence conducted an internal review of the theft, it issued a press release announcing that "four employees have left employment with Providence Health System." Spokesman Gary Walker won't name the employees or explain why they are gone. But Steve Shields, the systems analyst who took the disks and tapes home and later reported them stolen, says he is one of them. Reached at his home, Shields says he was fired but can't discuss his case right now. "There's a lot about Providence that hasn't come out yet," he says.

Many of the details of what happened at Providence are under seal in documents at the courthouse. However, O'Brien maintains that the Oregon region's Home and Community Services unit, where the backup disks and tapes were made and where Shields worked, ran "a rogue I.T. department," where some practices, like taking backup data home, violated Providence's corporate policies. And on that December night, one Home and Community Services employee left those backups, with their unencrypted private data, vulnerable.

Now so are 365,000 of Providence's customers. Now so is Providence.

Organizations like Providence that lose sensitive data can never really know when their liability or the damage to their reputations will end, since identity theft and related crimes may be committed months or years after the data went missing. Kroll's Allen says new issues have been popping up at one of Kroll's breached clients for five years. Either creditors have failed to correct the victims' records, or the stolen data keeps getting resold and reused.

"Once your information is out there, you can't get it back, unless you're really, really lucky and someone gets arrested," he says. He believes the "vast majority" of data breaches, which are mostly thefts or breaches of policy like the one at Providence, aren't reported because companies are still learning to recognize and track them: "Only in the last couple of years has a lost or stolen laptop been considered a breach."

Without a handbook to deal with data-breach problems, technology managers must learn from each other. And there are a number of cases to learn from. At least 184 companies have reported exposing customer information in the past year, when their computers, disks or tapes got stolen or lost or their internal systems got hacked, according to the Privacy Rights Clearinghouse, a consumer advocacy group in San Diego that tracks data breaches. Fifty-five of those were U.S. health-care organizations, up from 11 in 2005.

"There's a myth that companies know what's happening to their data," says Alan Paller, director of The SANS Institute, a security researcher in Bethesda, Md. "You can't stop the data from getting out. You just can't."

Fraud scams, hacking, carelessness, and weak privacy and security protection have compromised patient data across the country.

As an example, at a Cleveland Clinic facility in Weston, Fla., federal prosecutors allege that a receptionist, Isis Machado, printed data on 1,100 patients and gave it to her cousin, Fernando Ferrer Jr., who provided it to others who fraudulently billed Medicare for $2.8 million this year and last. The cousins were indicted in September for conspiracy, computer fraud and violating HIPAA, among other crimes. They pleaded not guilty and await trial.

At Medco Health Solutions, the $38 billion prescription drug benefits manager in Franklin Lakes, N.J., the Social Security numbers, birth dates and prescription records of 4,600 Ohio state workers were compromised last December. Ohio's Department of Administrative Services announced in February that the data, unencrypted, was on a laptop stolen from a Medco employee's house.

In what may be the biggest patient-data breach to date, various offices of the U.S. Department of Veterans Affairs in the past year reported four separate laptop thefts, as well as the loss of a backup tape, a disk drive and three compact discs. The VA says no full electronic health files were lost, but these incidents have jeopardized private information, including disability ratings and insurance claim data, on more than 28 million military veterans and active-duty personnel. The VA has since spent $3.7 million to hire a consulting firm to encrypt all of its computers. Two laptops and the drive resurfaced, and the VA says tests by the Federal Bureau of Investigation show the data on them wasn't accessed.

Providence's disks and tapes, however, are still out there. They could be in a dumpster or at the bottom of the Columbia or Willamette rivers, which flow a few miles from O'Brien's office. They could have been offered for sale on the information black market, which happened to Sentry Insurance this year. The company announced in July that a contractor working for it in Stevens Point, Wis., was indicted for, among other data-theft crimes, trying to sell the private data of 36,000 Sentry customers to an undercover U.S. Secret Service agent for $25,000.

"I've not seen anyone brazen enough to offer medical information online to the highest bidder, although I'm sure we're not far from that," says Karen Spangenberg, chief of financial crimes at FBI headquarters in Washington, D.C. "We believe that on the horizon there's a crime wave of health-care fraud, identity theft and cybercrime."

Next page: December 30: No Holiday for Data Thieves : No Holiday for Data Thieves">

December 30: No Holiday for Data Thieves

Providence is known among health-care providers as a technology leader. Headquartered in Seattle, the company was started by five women in the mid-1800s as a Roman Catholic ministry and charity, and has grown to run hospitals, clinics and elder-care facilities in five states.

In 2004, Providence started using electronic medical records, well ahead of many health-care firms that now struggle with them or are only starting to consider them. Providence's electronic record combines doctor's notes, test results, images and scans of paper documents. The company consistently rates among the top five health-care providers for how efficiently it integrates operations between doctors, hospitals, clinics and all the other facilities involved in treating, and billing, the sick, according to Verispan, a health-care researcher in Yardley, Pa.

The technology O'Brien oversees in the Oregon region, according to the Providence Web site, includes 60 clinical, financial and operations systems, such as Lawson Software human-resources applications, Oracle databases, McKesson health-care patient accounting software and SPSS statistical analysis tools; 6,100 personal computers; and 149 Unix, Linux, Microsoft Windows and other servers.

Providence performs nightly backups of these systems to standard tapes and disks, O'Brien says, and turns them over to records management firm Iron Mountain, which secures them off-site.

But not at Home and Community Services, which, O'Brien discovered, had its own way of protecting data.

On the night of Dec. 30, off work for the holiday, Steve Shields drove to his Milwaukie, Ore., home and parked his Plymouth Voyager in the driveway at the bottom of his yard, according to the sheriff's report. He left his computer bag full of disks and tapes on the floor of the minivan. Sometime after 10 p.m., someone smashed a window and grabbed the bag, he told the Clackamas County Sheriff's Department the next morning.

Several other cars in the same area, a neighborhood of large, comfortable-looking homes among giant pines, were also burglarized that weekend, although the thieves didn't take everything they could lay their hands on. The report notes that some "high-end items"—including a laptop computer in Shields' car and possibly some Christmas presents in his wife's car, which was parked next to his—were left behind.

The stolen disks and tapes contained copies of records on at least 365,000 people living in Oregon and southwest Washington, some going back to 1987. The records were created by various offices of Home and Community Services, which serves patients who are chronically ill, disabled, or so old or injured that they need special care or equipment in their homes.

But some of the patients whose data disappeared are young—children, for example, who went to the hospital to get crutches or some other outpatient care, along with the adults who agreed to pay their bills. Oregon has no law requiring companies to notify customers after their data is compromised, but the state of Washington, where some of the patients live, does. The wife of one of the attorneys representing patients in the case received Providence's notification letter, according to court papers. So did Judge Litzenberger and an unnamed judicial assistant. The judge and her staff are now excluded from profiting from any settlement with Providence.

Nineteen days after the theft, Providence gave police photos of Sony SDX2-50C cassette tapes and Hewlett-Packard rewritable optical disks—media of "the same style"—so investigators would recognize the stolen goods if they turned up.

O'Brien maintains that Home and Community Services' "rogue I.T. department" was the problem. For 10 years, Providence in Oregon has been bringing its hospitals and their information-technology staffs onto centrally managed clinical systems. So far, she says, seven staffs have been consolidated. But Home and Community Services maintained its own computer systems, and although the technology staff "had accepted that they were no longer a mom-and-pop shop" and were going to move their operations into Providence's Oregon regional data center, the switch-over hadn't happened yet. They still managed and backed up eight systems by themselves.

"The practice did not match our policies," she says. "This was the only [department] we had not centralized."

"Obviously," she adds, "the number-one lesson learned is not to have a rogue or a shadow I.T. department out in your business units."

Yet the burglary of Shields' minivan was not the first time Providence had lost data.

Between August 2005 and last December, four computers were stolen from Providence's secured building in Portland, according to Faye Jorgensen, Providence's director of regional security, who was quoted in the sheriff's report. They held Drug Enforcement Administration numbers (which are required by the DEA to prescribe drugs) and other personal information about doctors.

One laptop was stolen in September 2005 that held records on eight hospice patients, and another one in December 2005 that held records on 14 home-care patients in Snohomish County, Wash. Providence didn't announce these thefts until March, when it said in a press release that two more laptops containing information on 122 patients had also been stolen—one from the car of a different Providence employee in Washington.

"The employees involved in the 2006 thefts were not following Providence Health & Services policy, which requires that confidential data be secure at all times," the release said.

The patients who have sued Providence in Oregon, Russell Gibson and William Weiller, claim Providence was "negligent in failing to handle protected health information when it allowed an employee to store [it] in his or her car." Providence's McGrory says the patients have no case and the judge should dismiss it. But the patients want it certified as a class action so all 365,000 of them can collect any damages awarded for inconvenience, impairment of access to credit or emotional distress.

Many patients fear that leaked medical information may somehow hurt them or affect their jobs, adds David Paul, another lawyer on the patients' case against Providence. He says his office has received numerous calls from worried patients. "What if you're on the Oregon police force and taking anti-depressants?" he asks.

Paul says evidence collected in the case reveals "dozens" of times when Providence has lost control of information about patients—a notion that Providence's Walker disputes.

"This was not just one rogue group," Paul maintains. "[They failed] to have their data secure in a number of different components of their operation."

Policies at Providence, revealed as part of the patients' lawsuit against it, say that "electronic records will not be left unattended or unsecured in areas accessible to unauthorized individuals." Another policy states: "All portable computing devices must use encryption. Media removed from [Providence] facilities must be encrypted."

The New Year's theft slapped the company and customers awake to the split between policy and reality.

Next page: Braving the Public

Braving the Public

When Shields reported the theft, he said the disks and tapes were "highly encrypted" and that "it would be almost impossible to retrieve the data," according to the sheriff's report.

But the disks and tapes were not encrypted, as O'Brien and other Providence officials later learned, and even though the data on the tapes was stored in an old, hard-to-read format, it was not impossible to retrieve. O'Brien says it would require a "very sophisticated" thief with "a lot of money and a lot of time." Still, she had to assume the worst case. So, Providence

had to figure out what data was missing and how it was going to respond.

That took three weeks. "We didn't sleep," she says.

O'Brien's information-technology shop had to make copies of the tapes and disks to try to replicate the stolen backups, which held data from 12 databases and systems in various formats. The I.T. team didn't have equipment old enough to decipher them, however. So, they hired NTI Data Forensics to crack the tapes and see if anybody could read the data. That company had to hunt on eBay for a tape drive old enough to read the replicas.

About 10 days later, O'Brien's staff was able to start analyzing which pieces of information were on the tapes, how it was laid out (names and addresses, for example, were not joined, but separated in different segments), and whether information was duplicated. If people's names showed up nine times, Providence didn't want to send them nine letters telling them their data was compromised.

Kroll contracted with its sister company, Marsh, to set up call centers and train workers, including temporary employees, to talk to patients as they called in. Different information was missing for different patients, so the staff built software that allowed call center workers to look into its systems and, without touching the data, tell each patient exactly what was gone.

The breach would have been easier to handle if Home and Community Services had followed policies on retaining data. That, O'Brien adds, is another lesson learned—destroy data when it's no longer needed. "There's data [on minors] we're legally required to keep for 17 years, but we were holding data for longer than that," she says. The systems in Home and Community Services were so old, she adds, that they didn't stop archiving information after it reached a certain age.

After the theft, Providence rushed to move servers as fast as possible from Home and Community Services into the regional data center, secure storage for its data, and design information safety training for all employees—which includes cards attached to their ID badges in case they forget what they're supposed to do, according to O'Brien.

Spokesman Walker says he combed the Web for sites created by other companies that had suffered data breaches—Marriott Vacation Club, for one—to use as a guide for the Web site Providence was putting up (in English, Spanish, Russian and Vietnamese) and for the letters it was writing to patients. "There's no playbook here," he says.

Like other breached companies, Providence claimed in its notification letters and in subsequent public relations efforts that there's no indication the lost data has been used to steal anyone's identity. But such claims "involve a certain amount of guesswork," says Jason Paroff, a director of computer forensics at Kroll.

For example, if a laptop is returned, one simple tool is to check the "last accessed" dates in the meta-data recorded about each file. A knowledgeable data thief, however, can make a forensic image of a stolen hard drive, like a detective or FBI agent investigating computer crime. "If you do it right, you wouldn't leave any trail," Paroff says. Even if the computer were returned, "The person with the laptop after that wouldn't actually know anyone had copied the entire drive." Paroff is not working on the Providence case.

If the machine is still missing, a company can do little else but watch internal systems for signs of hacking and wait for reports of customers' identities being stolen. "No indication of access," he says, "just means they haven't seen it."

On Jan. 25, more than three weeks after the theft, Providence began sending notification letters to patients, advising them to call one of the three credit bureaus and put fraud alerts on their files. It also notified state and federal regulators.

"We are truly sorry for this situation, and recognize the concern and inconvenience this situation is causing you," the letter said in boldface type. "Providence is also preparing some special resources to help you."

The call center was slammed with calls—nearly 2,000 on the first day. Calls would spike after any new information about the theft, such as a television newscast. Patients were upset; they didn't understand how to work with the credit bureaus, and they were calling different departments in Providence demanding that their Social Security numbers be removed from the company's databases.

O'Brien took charge of that task, according to court papers, appointing leaders in each region to find ways to eliminate or reduce the internal use of Social Security numbers. "This is the first step on a journey," said a presentation from O'Brien that is part of the court record. "Provide de-identified examples of harm caused to patients and employees at PHS from inappropriate use of Social Security numbers (tell the story, create the shared need)."

Attorney General Myers' office began investigating whether Providence had violated Oregon's Unlawful Trade Practices Act, which forbids businesses, including health-care organizations, from misrepresenting their products and services. (Providence's code of conduct, published on its Web site, says, "We treat patient information with special care ... We protect and maintain patient, business, and employee information in accordance with Providence policy and applicable law….")

Scam artists got wind of the theft and started dialing people, pretending they were from Providence and looking for patients to get them to "verify" the data that was stolen, Providence warned in a press release. Complaints of identity theft began trickling in to the call center, along with the thousands of calls from people simply worried or confused about the breach.

Although no cases of identity theft have been attributed to Providence, a thief connected to "a large ring of sophisticated criminals" was found using a patient's wife's ID after $8,000 in fraudulent charges had appeared on the patient's credit card, according to court papers. The thief was arrested on Feb. 1 while trying to pass a bad check. Police found a stash of Social Security numbers, records from the Oregon Department of Motor Vehicles and newly printed fake Wells Fargo bank checks in his home. The detective on the case didn't think the information came from Providence, but the wife told the call center she knew of no other breach.

By Feb. 2, 10,000 patients had called Providence. So many patients were having trouble with the credit bureaus that Providence hired Kroll to monitor and restore their credit, which meant more training of call center workers and another round of letters.

First, however, Kroll made Providence clean up its data. About 120,000 of the letters Providence sent came back as undeliverable, according to court papers. Kroll told O'Brien's technology staff to run the stolen data through the National Change of Address database to get current addresses, as well as a commercial database to see how many patients the Social Security

Administration had recorded as dead. Ultimately, Providence gave Kroll a list of 383,418 people—18,418 more than Providence thought were breached, although Kroll says some folks were reclassified and counted twice.

The list was further broken down to identify patients who were children, patients who had died (along with their living relatives), and guarantors—friends or relatives who had agreed to pay patients' bills. To everybody with an address—of which Kroll had 260,163—Kroll sent membership packets so they could sign up for credit monitoring and restoration services if they wanted. For the 123,255 people who were still missing addresses, Kroll kept their names on file in case they heard about the theft and called. By March 31, 19,192 people had requested credit monitoring, according to court papers, and Kroll had referred three cases of possible identity theft to Providence.

One former patient, Rob Holmes, quickly put up a Web site, www.providenceidentitytheft.com, to help fellow victims of the data breach get "spin-free" information about it, he says, by telling his own tale and creating a chat forum for others.

In an interview, Holmes says that Providence's call center could not tell him which of his data had been revealed. Fill out a form, he says he was told, and we'll review your request. About three weeks later, Holmes got a printout showing what parts of his file were likely to have been breached. It was derived, a Providence letter explained, from the first backups made after the theft. His name, address, Social Security number and insurance number were there, along with the phone number and address of his mother, whom he listed as an emergency contact. Also included were three diagnostic codes pertaining to his sleep apnea condition and a list of equipment, such as masks and cushions, he had received from Home and Community Services from 2001 to early 2005.

Holmes was so mad that he filed a formal complaint with the U.S. Department of Health and Human Services, which asked him to sign a form consenting to let the government investigate. "I haven't heard from them since," he says. Health and Human Services says it can't discuss a patient's private information or the particulars of individual complaints. The Federal Trade Commission also received a complaint from someone about the Providence breach and has other records on the breach that it won't discuss, it says, because they are part of "a law enforcement investigation."

At Providence, O'Brien found the bad publicity tough to handle, because she doesn't know what else the company could have done. "People thought we were sitting on it for three weeks, I guess, twiddling our thumbs. But everybody was really busy 7 by 24 trying to do the right thing" to have a solution in place before going public with the theft.

The question for the court is whether Providence did enough.

Next page: In the Aftermath

In the Aftermath

The furor created by the data breach is dying down. By April, the number of calls coming in to the call center had fallen to fewer than 100 a day. In September, Providence reached an agreement with the Oregon Attorney General, and, without admitting any violation of law, paid $95,764 into a state consumer protection and education fund. It agreed to provide patients with at least one year of free credit monitoring (which it boosted to two years on the day of the hearing before Judge Litzenberger), and free credit restoration unless it can show the stolen data did not cause patients' problems. If it did, Providence will reimburse their losses.

Separately, Walker says Providence is eager to work on a data breach bill with the Oregon Legislature.

But the lawsuit goes on. Providence has so far produced 60,000 pages of documents, according to Paul, the patients' attorney. "Providence has gone way beyond what we're required to do," said McGrory at the hearing, trying to persuade Judge Litzenberger to dismiss the case. "There is nothing more to be gained if we go to trial. We're morally obligated, but we're not legally obligated. So, the lawsuit is not going to do any good."

In its response to patients, Providence seems to have done more than some other breached companies, according to a Baseline examination of 20 health-care organizations that experienced breaches in the past two years. Some don't provide free credit monitoring to customers, for example, or post regular updates on the breach on their Web sites or buy full-page ads in local newspapers apologizing to the public. Wilcox Memorial Hospital in Lihue, Hawaii, for example, lost a disk drive with data on 130,000 patients last year, and in a notification letter encouraged customers to contact the credit bureaus themselves to check for suspicious activity. So did Kaiser Permanente, HCA and the Cleveland Clinic in breaches they each had this year.

A Kroll director, Brian Lapidus, called Providence's commitment to helping its patients avoid identity theft "extraordinary," according to court papers.

But not all patients are satisfied. Some who complained to the call center were reimbursed for out-of-pocket expenses, like notary public fees, but Providence hasn't extended the same offer to all patients, according to Paul. Others want compensation for their time. Still others bought their own credit monitoring service before Providence hired Kroll and think Providence should pay.

"They are doing too little, too late," Paul says. "We're trying to create a wide safety net."

Technology wouldn't have prevented the breach at Providence. It isn't as if a hacker penetrated the corporate network or an insider downloaded data he shouldn't have accessed. The breach happened because of what O'Brien admits was poor practice met with poor luck: taking backup media home and leaving them in a car on a night when thieves happened by.

Strong policies supported by strong consequences are what companies need, says Paul Stamp, a Forrester Research analyst. "It's all well and good to say, 'Don't do it.' But you have to tie motivations to things that make people tick," he says. "Firing is the ultimate awareness program."

Kim Gray, who is the chief privacy officer at Highmark, the $9.8 billion health insurer, approaches her job knowing that breaches will happen, she says, either intentionally or not. Highmark has spent millions of dollars modifying its applications to accept unique identification numbers instead of Social Security numbers. "We go beyond the minimums [required by industry regulations]," she says, "and a lot is driven by protecting our brand reputation and fulfilling customer trust."

Combined with policy, a few technology steps can make private data less vulnerable.

For instance, companies can shrink the amount of data moving around with precise role-based access to information. Give each kind of employee only the "minimum necessary" data needed to do his or her job, HIPAA rules advise. "A lab tech doesn't need to see everything—just what the blood needs to be drawn for," Gray says. "Not the person's address and date of birth." The fewer eyes on data, the more private it remains.

Along those lines, employees should be trained not to share passwords to clinical, financial and other applications, says Steve Kelly, a consultant at The Newberry Group, a technology management consulting firm in St. Charles, Mo. Also, log off whenever you leave your desk.

Equipping laptops with beacon software, such as Absolute Software's Computrace, can help companies track down stolen machines. The program, loaded into the computer's system software, instructs the laptop to call out—send a beacon—to Absolute's online monitoring center every time it connects to the Internet. Investigators can then trace its location by the Internet Protocol address revealed during the contact.

Encrypting backup tapes and disks makes the data on them unreadable without the right software decryption keys, according to John Glaser, CIO of Partners Healthcare in Boston. If thieves can't see the Social Security numbers and dates of birth on the machines they steal, chances of identity theft drop. Plus, he notes, state breach notification laws leave an out for those who encrypt. Generally, organizations don't have to report breaches if they had encrypted the information stolen or lost.

Paller at The SANS Institute, meanwhile, says he's seeing a surge in companies buying encryption products in concert with the publicity of stolen laptops, lost tapes, hacked systems and other data spills.

The outbreak of breaches this year "is the first security issue that directly touches CEOs," Paller says. "All the others are big issues, but they delegated them. This one, the CEO is honest-to-God worried about getting called up to Congress and getting his picture in the local paper. He or she simply says to the I.T. people, 'Don't let it happen.'"

Step No. 1, as Providence learned: Don't let employees take home disks and tapes loaded with 18 years' worth of patient data. "We want to be a leader in information security," O'Brien says, hopefully. "Having had a bad experience can only help us be that leader."

Next page:Goals and Financials
Providence Health & Services Base Case

Headquarters: 506 Second Ave., Suite 1200, Seattle, WA 98104
Phone: (206) 464-3355
Business: Provides health-care services—including inpatient, outpatient, primary and home care—as a nonprofit in five states. Also provides health plans.
Chief Executive Officer, Oregon Region: Russ Danielson
Chief Information Officer, Oregon Region: Laureen O'Brien
Financials in 2005: $4.36 billion in net revenue; $308.2 million in net income.
Challenge: Protect and secure patient data throughout its entire organization.

Baseline Goals:

  • Increase revenue from patients by 7.7% or more in 2006.
  • Boost net income by at least 36.6% in 2006.
  • Increase funding for community programs by 11.7% or more in 2006.
  • Maintain or reduce operating expenses as a percent of operating revenue, which stood at 95.3% in 2005.