In the Aftermath

By Kim S. Nash Print this article Print

Providence Health & Services lost information on 365,000 patients—after 10 backup tapes and disks were stolen from the back of an employee's minivan. Now, 12 months and $7 million later, the health-care provider remains mired in the aftermath. Here's

In the Aftermath

The furor created by the data breach is dying down. By April, the number of calls coming in to the call center had fallen to fewer than 100 a day. In September, Providence reached an agreement with the Oregon Attorney General, and, without admitting any violation of law, paid $95,764 into a state consumer protection and education fund. It agreed to provide patients with at least one year of free credit monitoring (which it boosted to two years on the day of the hearing before Judge Litzenberger), and free credit restoration unless it can show the stolen data did not cause patients' problems. If it did, Providence will reimburse their losses.

Separately, Walker says Providence is eager to work on a data breach bill with the Oregon Legislature.

But the lawsuit goes on. Providence has so far produced 60,000 pages of documents, according to Paul, the patients' attorney. "Providence has gone way beyond what we're required to do," said McGrory at the hearing, trying to persuade Judge Litzenberger to dismiss the case. "There is nothing more to be gained if we go to trial. We're morally obligated, but we're not legally obligated. So, the lawsuit is not going to do any good."

In its response to patients, Providence seems to have done more than some other breached companies, according to a Baseline examination of 20 health-care organizations that experienced breaches in the past two years. Some don't provide free credit monitoring to customers, for example, or post regular updates on the breach on their Web sites or buy full-page ads in local newspapers apologizing to the public. Wilcox Memorial Hospital in Lihue, Hawaii, for example, lost a disk drive with data on 130,000 patients last year, and in a notification letter encouraged customers to contact the credit bureaus themselves to check for suspicious activity. So did Kaiser Permanente, HCA and the Cleveland Clinic in breaches they each had this year.

A Kroll director, Brian Lapidus, called Providence's commitment to helping its patients avoid identity theft "extraordinary," according to court papers.

But not all patients are satisfied. Some who complained to the call center were reimbursed for out-of-pocket expenses, like notary public fees, but Providence hasn't extended the same offer to all patients, according to Paul. Others want compensation for their time. Still others bought their own credit monitoring service before Providence hired Kroll and think Providence should pay.

"They are doing too little, too late," Paul says. "We're trying to create a wide safety net."

Technology wouldn't have prevented the breach at Providence. It isn't as if a hacker penetrated the corporate network or an insider downloaded data he shouldn't have accessed. The breach happened because of what O'Brien admits was poor practice met with poor luck: taking backup media home and leaving them in a car on a night when thieves happened by.

Strong policies supported by strong consequences are what companies need, says Paul Stamp, a Forrester Research analyst. "It's all well and good to say, 'Don't do it.' But you have to tie motivations to things that make people tick," he says. "Firing is the ultimate awareness program."

Kim Gray, who is the chief privacy officer at Highmark, the $9.8 billion health insurer, approaches her job knowing that breaches will happen, she says, either intentionally or not. Highmark has spent millions of dollars modifying its applications to accept unique identification numbers instead of Social Security numbers. "We go beyond the minimums [required by industry regulations]," she says, "and a lot is driven by protecting our brand reputation and fulfilling customer trust."

Combined with policy, a few technology steps can make private data less vulnerable.

For instance, companies can shrink the amount of data moving around with precise role-based access to information. Give each kind of employee only the "minimum necessary" data needed to do his or her job, HIPAA rules advise. "A lab tech doesn't need to see everything—just what the blood needs to be drawn for," Gray says. "Not the person's address and date of birth." The fewer eyes on data, the more private it remains.

Along those lines, employees should be trained not to share passwords to clinical, financial and other applications, says Steve Kelly, a consultant at The Newberry Group, a technology management consulting firm in St. Charles, Mo. Also, log off whenever you leave your desk.

Equipping laptops with beacon software, such as Absolute Software's Computrace, can help companies track down stolen machines. The program, loaded into the computer's system software, instructs the laptop to call out—send a beacon—to Absolute's online monitoring center every time it connects to the Internet. Investigators can then trace its location by the Internet Protocol address revealed during the contact.

Encrypting backup tapes and disks makes the data on them unreadable without the right software decryption keys, according to John Glaser, CIO of Partners Healthcare in Boston. If thieves can't see the Social Security numbers and dates of birth on the machines they steal, chances of identity theft drop. Plus, he notes, state breach notification laws leave an out for those who encrypt. Generally, organizations don't have to report breaches if they had encrypted the information stolen or lost.

Paller at The SANS Institute, meanwhile, says he's seeing a surge in companies buying encryption products in concert with the publicity of stolen laptops, lost tapes, hacked systems and other data spills.

The outbreak of breaches this year "is the first security issue that directly touches CEOs," Paller says. "All the others are big issues, but they delegated them. This one, the CEO is honest-to-God worried about getting called up to Congress and getting his picture in the local paper. He or she simply says to the I.T. people, 'Don't let it happen.'"

Step No. 1, as Providence learned: Don't let employees take home disks and tapes loaded with 18 years' worth of patient data. "We want to be a leader in information security," O'Brien says, hopefully. "Having had a bad experience can only help us be that leader."

Next page:Goals and Financials

This article was originally published on 2006-12-06
Senior Writer
Kim has covered the business of technology for 14 years, doing investigative work and writing about legal issues in the industry, including Microsoft Corp.'s antitrust trial. She has won numerous awards and has a B.S. degree in journalism from Boston University.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.