Tony Kennedy and Maura Lerner report on the aftermath of a contractor breach that affected patients at Fairview and North Memorial hospitals in Minnesota. For those who may not recall the Accretive breach, the reporters provide a summary:
On the night of July 28, according to police reports, a consultant named Matthew Doyle, who worked for Accretive Health Inc., left a Dell laptop in the back seat of a rental car parked in the Seven Corners bar and restaurant district in Minneapolis. When he returned after 10 p.m., the back window was smashed and the computer was missing.
The laptop contained information on 14,000 Fairview patients and 2,800 North Memorial patients, potentially exposing them to identity theft or other harm.
The bulk of the news story deals with Accretive Health’s failure to encrypt and adequately secure the data, noting that nationwide, there are about three reports per month of stolen laptops with unencrypted patient data. I think that estimate is way too low and that we’re only finding out about an average of three per month but there are likely many more.
But what have the Minnesota hospitals learned from the breach and how has it affected their relationship with Accretive?
Lois Dahl, Fairview’s information privacy director, said the mistake has taught the hospital to verify, not just trust, that its contractors are living up to privacy obligations.
Fairview also is considering dropping Social Security numbers from records shared with outside business partners, Dahl said. The hospital also wants to tighten practices to ensure it is not giving vendors more patient information than necessary, she said.
Bingo! It’s a shame it took this breach for them to learn those lessons, but if they’ve learned them now, I’m glad for that.
For its part, Accretive has started daily audits to ensure encryption on all devices carrying patient information, Kazarian said. The company also has “reaffirmed” rules for keeping laptops secure, he said.
And what are their rules? It would be nice to know what they are instructing employees – other than not to leave a laptop in the back seat of a car in a bar parking lot.
Harley Geiger of the Center for Democracy and Technology (CDT) described the breach as “failure of diligence,” and I concur. But it’s not just the contractor’s diligence. As the hospital now realizes, covered entities need to verify that contractors are living up to the terms of any contract in terms of protecting the privacy and security of patient data.
Yesterday, in another sector, we saw how the SEC discovered that a contractor had shared data with unapproved and un-vetted subcontractors. SEC notified its employees of the breach, but the impressive part is that they audited and verified what was happening to data they had shared with the contractor. More HIPAA-covered entities would benefit from the “trust but verify” approach. It’s just not enough to have clauses in a contract and when covered entities are themselves audited, I hope they are asked to indicate how often and how they verify that business associates are adhering to the security and privacy protections in their contract.
“This was not the result of some sophisticated attack,” Geiger said.
No, indeed. And I am hard-pressed to think of any sophisticated attacks on patient data that we have seen. Most of them seem to be reasonably low-level attacks that could have been fairly easily prevented. Besides, why knock yourself out attacking networks when there is so much low-hanging fruit just lying around for the taking?
(Url corrected to link to Star Tribune)