Contractor or vendor woes (commentary)

A few recent breaches involving health information have gotten me thinking more about contractor or third party data losses. Is our reaction to such incidents the same as it would be if the hospital, insurance company, or other covered entities directly experienced the breach or loss themselves? Is there some psychological reaction whereby the more remote the third party is in the chain of custody of our data, the less we will hold the covered entity responsible or blame the covered entity? Or is it a case of “the buck stops here” and our reaction to the covered entity will be the same as if one of their employees had lost the data, etc.?

The chronologies of health-related incidents include a number of examples. As you read each of the following incident summaries, put yourself in the place of an affected individual, and ask yourself with whom you might be mad or frustrated, if you would experience any negative emotional reaction. You can apportion psychological blame or responsibility as you see/feel fit. This exercise is not about legal responsibility but about perception and reactions.

2007 incidents:

  • Health Data Management Services, a subcontractor for Magellan Behavioral Services, sent unencrypted patient data on 75,000 people insured by WellPoint‘s Empire Blue Cross and Blue Shield unit in New York to Magellan, a company that monitors and coordinates mental health and substance abuse treatments for insurance companies. The disc, which was sent via UPS, contained names, SSN, policy numbers, and description of medical services. The disc was reported found in March; it had been delivered to the wrong address in Philadelphia and the recipient had not opened the package until March. You received a notification from WellPoint before the disc was found.
  • An employee of an unnamed data support firm exposed 2,000 Westerly Hospital patients’ names, addresses, SSN, insurance information, surgical procedures and medical histories on the web.
  • In what was described as “the biggest loss ever of personal information compiled by state government,” Georgia Department of Community Health‘s claims processing contractor, Affiliated Computer Services (ACS), lost a disk containing names, addresses, dates of birth, SSN, and Medicaid or PeachCare ID numbers of 2,900,000 Georgia residents. A package containing the disk had been shipped from ACS’s Atlanta office by an unnamed ground carrier. You received notification from ACS.
  • 14 computer tapes containing 9,000,000 records with unencrypted sensitive data used to verify Medicaid claims were missing for more than two weeks after MailMax, the courier delivering the tapes to the Texas Medicaid & Healthcare Partnership from Northrop Grumman, delivered the package to the right building but placed it in the wrong bin. Affiliated Computer Services, the lead contractor of the Texas Medicaid & Healthcare Partnership reported that they had not been told that the tapes had been shipped, so they were not aware that they were missing.
  • Cleveland Clinic in Ohio had trouble again in 2007, with more patient records blowing off an unnamed transporter’s truck.
  • Department of Defense contractor Science Applications International Corporation (SAIC) failed to secure transmissions over the internet, exposing names, addresses, SSN, and limited health info on 900,000 military members and their families.
  • Online payment contractor Verus, Inc. failed to restore a firewall after an upgrade, leaving all of its clients’ online payment records exposed to anyone who tried to access them. The company notified its clients and went out of business. Over 60,000 patients were affected at Stevens Hospital, Kennewick General Hospital, St. Vincent’s Hospital, Concord Hospital, and Freeman Health System. Your hospital notified you of the incident.
  • An unnamed courier for Americhoice, Inc., a TennCare provider, lost a CD containing personal information on 67,000 enrollees.
  • An employee of an unnamed contractor for Sutter Lake Hospital violated procedure and downloaded personal and medical information of approximately 45,000 former patients, employees and physicians to a laptop computer. The laptop was then stolen from his home.
  • Electronic Data Systems notified Defense Department contractor TriCare that EDS had not properly secured a part of the system and “certain external entities” had been allowed access to a file with personal and medical information. of members of 4,700 families.
  • Hanover Transcription Services provides medical transcription services for physicians. Through an error in web administration, all of the transcription records for one particular client, a group of physicians specializing in oncology (cancer) patients, wound up exposed on the web. There were 238 such files, comprising 750-1000 patient reports.

2008 incidents:

  • The Georgia Department of Community Health experienced another problem when an employee of WellCare, the company that administers health benefits for Medicaid and PeachCare members, exposed personal and sensitive records of up to 71,000 members on the Internet for nearly seven weeks before the error was caught. You received notification from WellCare.
  • PHNS, a Texas-based insurance-billing firm that handles business operations for Tuolumne General Medical Facility, under contract with Fresno county, said up to 20,000 people may be affected by the theft of four laptop computers and a desktop computer from a PHNS office in Cerritos.
  • Computers stolen from Advanced Medical Partners Inc. contained names, dates of birth, insurance company name, and some surgical equipment details on patients whose hospitals had rented equipment from AMPI. Your hospital notified you of the incident.
  • A box of patient records sent via UPS by Central Florida Regional Hospital to a Las Vegas company for a Medicare audit wound up in Salt Lake City at National Product Sales being sold as “scrap paper” to a teacher.
  • WellPoint unintentionally allowed indexing and caching of files containing members’ personal and medical info — and in some cases, SSN — due to an error by the unnamed vendor that administers their servers. Although they thought that the problems were fixed early last year and notified some people last year, 8 months later they learned that more people were affected. Months after that, they also learned that files with PII or PHI on at least 128,000 people were improperly secured on another server for over a year. WellPoint or its subsidiary notified you.
  • Bellin Health notified about 650 patients that when an unnamed bill processing vendor sent them invoices, their Social Security number may have been viewable in the window.
  • Fallon Community Health Plan said that the names, dates of birth, some diagnostic information, and Medicare identification numbers of approximately 30,000 Senior Plan members was on a laptop computer stolen earlier this month from an unnamed Boston-based vendor of the HMO. The data was not password protected or encrypted, in violation of the company’s policies.
  • “Thousands” of patient medical records from LabCorp fell off an unnamed courier’s truck.
  • The Central Collection Bureau, Inc. in Indiana had a server stolen that contained personal information of 700,000 people. The personal information potentially exposed includes names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes. The people whose data may have been exposed were referred to CCB for debt collection purposes by around 100 Indiana businesses on or before March 20, 2008, many of whom were hospitals or medical facilities.
  • Backup tapes stolen from the vehicle of Archive America, an unnamed off-site storage company included encrypted names, addresses, Social Security numbers, health information and credit card or other financial information regarding bill payment on 2.1 million patients of U. of Miami; 47,000 had financial info on the tapes. U. of Miami notifies you.

And those are just the incidents we learned about. There are probably many others.

Accidents happen, and this problem is not just confined to the healthcare sector. But how far along the chain do the security protections and monitoring of same really go? Who monitors or audits at each step or link in the chain? If Company A hires contractor B whose subcontractor C has an employee who doesn’t follow policies or contractual obligations, one could argue that Company A did everything it reasonably could do, and hey, stuff happens. But who’s really (ultimately) responsible — and who will the patients or customers blame or be upset with?

Does our reaction depend, in part, on whether Company A manages to convince us, through any notification and disclosure, that they really had adequate security and protections in place and this was something really out of their control? Or do we say to ourselves, “Hey, why did you permit your contractors to use ground carriers instead of transmitting the data securely and electronically?” or “Wait a minute…. after you found that you had one web exposure, did you arrange for an independent security audit or did you just continue to use the same company that had already made one mistake?”

And how do we feel when Covered Entity A will not name the vendors or contractors involved? Are covered entities doing themselves a reputation disservice by not naming the vendor or contractor who experienced the loss? From a psychological perspective, if the customers or patients are given another name, will we be more likely to hold the contractor responsible or to be angry at the contractor instead of the covered entity? I wouldn’t be surprised if there were many frustrated and angry customers or patients out there who think to themselves, “Why are you shielding the contractor instead of feeling more responsibility to me? You’re protecting their privacy when you didn’t protect mine?”

blame

It would be helpful if there were more psychologically oriented research on breaches and reactions to breaches. While businesses may only care about the “bottom line” or “churn” rate, that rate may be manipulable by how entities disclose, notify, and handle a very common psychological reaction of “Who’s to blame for this?”

Edited at 2:14 pm to insert Archive America’s name in U. Miami incident.

About the author: Dissent