E-Mail Security Case: Sealing Cracks at Harvard Pilgrim

Ken Patterson is not an unusually paranoid person.

But he reads the news. As chief information security officer at Harvard Pilgrim Health Care, Patterson is responsible for managing the security policies and systems that safeguard the private data on the health-maintenance organization’s 975,000 members.

The nonprofit company, based in Wellesley, Mass., ex-changes data on those members each day with employers, insurance brokers, and a network of more than 130 hospitals and 22,000 physicians across New England.

That’s a lot of moving parts, especially in light of the information-security debacles of 2006 that made security managers’ skin crawl. Nearly every week, another corporation or organization—from Aetna to the Department of Veterans Affairs—was issuing a mea culpa for a stolen laptop, lost backup tape or compromised database that contained customers’ or employees’ private data.

Harvard Pilgrim hasn’t experienced a similar data breach. Even so, Patterson’s mandate was clear: The organization needed to tighten its information infrastructure to prevent unauthorized disclosure of confidential member data. “Our mission,” he says, “is to be the most trusted name in health care.”

But Harvard Pilgrim works with numerous third parties. And, as Patterson notes, “We can’t control the data too well when it leaves our domain.”

So, what if one of those private e-mails leaked out? What if thousands did? Consultancy Gartner Inc. estimates that the direct costs associated with a data breach would be about $90 per customer account involved—for legal fees, communications to those affected and other services.

Patterson assumes a large-scale disclosure of private data would result in a mass defection of customers, far more devastating than the costs associated with recovering from a single incident. In the health-care industry, according to his estimates, a big data leak could result in a 20% loss of the total customer base from people either canceling their accounts or deciding not to do business with the organization.

For Harvard Pilgrim, which had $2.3 billion in annual revenue for 2005, that worst-case scenario would mean losing upward of 195,000 customers—and, along with them, hundreds of millions of dollars in revenue a year.