Search Articles
Reproduction permitted for personal use only. For reprints and reprint permission, contact reprints@wistechnology.com.
Managing the nightmare of identity theft
May 9, 2006
Madison, Wis. - The nightmare of managing liability in identity theft cases was spelled out during a late session of WTN Media's Digital Healthcare Conference, and healthcare providers got a real sense of what a sleepless period it would be.
Using a hypothetical case of identity theft from an orthopedic hospital, attorneys from Michael Best & Friedrich demonstrated how much trouble healthcare organizations can find themselves in even when they take steps to prevent security breaches that result in lost, stolen, or damaged medical records.
Prior to the mock trial, members of the audience learned that there are plenty of real life cases to draw lessons from, too. Attorney Paul Benson, a partner with Michael Best & Friedrich, cited a recent World Privacy Forum survey that identified more than 120 reported data breaches in American companies, resulting in $53 million in fines, since February of 2005. One company, ChoicePoint, was fined $10 million for its data breach.
Fellow Michael Best partner John C. Thomure, the defendant's attorney, joined Benson, the prosecuting attorney, in a debate. The facts of the case were not in dispute, but the interpretation of those facts was.
In an attempt to protect patient information on electronic and paper records, the defendant, Bad Break Orthopedic Hospital, took steps to implement both physical and technical safeguards and train employees on data security. Nevertheless, the hospital's data security was breached by a disgruntled employee who stole a laptop from the hospital and gained unauthorized access to its computer system. While a simple password would have prevented a breach on the laptop, the employee breached technical security measures and [appropriated] sensitive patient information such as names, Social Security numbers, dates of birth, diagnoses, and payment information.
The owner of the laptop immediately notified the hospital of both the theft and the security breach, but in its anxiety to find the perpetrator and recover the compromised records, the hospital did not notify affected patients for more than three weeks after the theft. Not long afterward, patients began to report incidents of possible identity theft; credit cards were opened in their names, and collectors were calling. A class action lawsuit ensued, and claimed the hospital had negligently put patients at risk of identity theft.
The hospital further enraged patients and their attorneys during the discovery process when, despite the existence of a record retention policy and related employee training, the organization responded slowly to requests, released information on a piecemeal basis, and offered vague explanations as to how relevant files were found. The plaintiffs claimed discovery misconduct.
During his opening statement, Benson blasted the hospital for failing to invest in encryption, which he described as a best practice. He also accused the hospital of trying to cover up mistakes during its internal investigation, and of violating the Health Insurance Portability and Accountability Act (HIPAA) and state law by not informing patients of the breach in a more timely fashion. He cited several organizations that immediately notified identity theft victims so they could take steps to protect themselves financially, and another that acted responsibly by setting up e-mail accounts to keep victims apprised of subsequent events.
Benson, who focused on the plaintiff's financial losses, sought $4 million in punitive damages. "If you don't teach Bad Break a lesson here, and companies like it in these cases, when will these problems end?" he asked.
Thomure disputed the contention that a HIPAA violation occurred, and characterized Benson's presentation as an example of how fear is used to compel liability. He said the hospital met the test of reason by instituting policies and safeguards, thoroughly training workers in its comprehensive record retention policies, immediately conducting an internal investigation, hiring an auditor to check HIPAA compliance, and notifying patients after efforts to catch the perpetrator failed.
What would be unreasonable, Thomure said, was for his clients to have no policies or procedures, no training, no internal investigation, and no audit. He said the prosecution is trying to apply the strictest standard for negligence when the ordinary standard should apply, and said if the strict standard was applied, credit card companies would shift costs to hospitals when they already are in a position to cover these losses. With healthcare costs already rising at three times the rate of inflation, a strict standard could make a bad situation worse, he said.
"I assure you the cost of healthcare will go up substantially because the plaintiff wants a perfect system," Thomure stated as part of his remarks on behalf of Bad Break.
Following the presentation, the merits of each case were evaluated by a panel that included Steven Biskupic, U.S. Attorney for the Eastern District of Wisconsin; Lorna Granger, chief legal officer and chief compliance officer for ProHealth Care; and Paul Verberne, legal counsel for HSA Bank. Only Biskupic sided with the prosecution. He noted that all criminal culpability centers on knowledge of a bad act. "If you know people's credit card bills are being run up, and you don't do anything about it, you're going to have some explaining to do," he said.
Verberne, however, noted that HIPAA doesn't require best practices, but that hospitals act reasonably. "This standard is not as rigorous as what the banking industry regularly has to face," he said.
Granger pointed out that the most sensitive information lost was not financial, but medical, which is what HIPAA is designed to protect. She said real damage would occur if a person who is HIV positive or has a sexually transmitted disease had personal medical records fall into the hands of an employer. If the strictest standard is imposed for financial losses, Granger said the cost of healthcare would rise again. "This is not the right case to allow that to happen," she stated.
Using a hypothetical case of identity theft from an orthopedic hospital, attorneys from Michael Best & Friedrich demonstrated how much trouble healthcare organizations can find themselves in even when they take steps to prevent security breaches that result in lost, stolen, or damaged medical records.
Prior to the mock trial, members of the audience learned that there are plenty of real life cases to draw lessons from, too. Attorney Paul Benson, a partner with Michael Best & Friedrich, cited a recent World Privacy Forum survey that identified more than 120 reported data breaches in American companies, resulting in $53 million in fines, since February of 2005. One company, ChoicePoint, was fined $10 million for its data breach.
Fellow Michael Best partner John C. Thomure, the defendant's attorney, joined Benson, the prosecuting attorney, in a debate. The facts of the case were not in dispute, but the interpretation of those facts was.
In an attempt to protect patient information on electronic and paper records, the defendant, Bad Break Orthopedic Hospital, took steps to implement both physical and technical safeguards and train employees on data security. Nevertheless, the hospital's data security was breached by a disgruntled employee who stole a laptop from the hospital and gained unauthorized access to its computer system. While a simple password would have prevented a breach on the laptop, the employee breached technical security measures and [appropriated] sensitive patient information such as names, Social Security numbers, dates of birth, diagnoses, and payment information.
The owner of the laptop immediately notified the hospital of both the theft and the security breach, but in its anxiety to find the perpetrator and recover the compromised records, the hospital did not notify affected patients for more than three weeks after the theft. Not long afterward, patients began to report incidents of possible identity theft; credit cards were opened in their names, and collectors were calling. A class action lawsuit ensued, and claimed the hospital had negligently put patients at risk of identity theft.
The hospital further enraged patients and their attorneys during the discovery process when, despite the existence of a record retention policy and related employee training, the organization responded slowly to requests, released information on a piecemeal basis, and offered vague explanations as to how relevant files were found. The plaintiffs claimed discovery misconduct.
During his opening statement, Benson blasted the hospital for failing to invest in encryption, which he described as a best practice. He also accused the hospital of trying to cover up mistakes during its internal investigation, and of violating the Health Insurance Portability and Accountability Act (HIPAA) and state law by not informing patients of the breach in a more timely fashion. He cited several organizations that immediately notified identity theft victims so they could take steps to protect themselves financially, and another that acted responsibly by setting up e-mail accounts to keep victims apprised of subsequent events.
Benson, who focused on the plaintiff's financial losses, sought $4 million in punitive damages. "If you don't teach Bad Break a lesson here, and companies like it in these cases, when will these problems end?" he asked.
Thomure disputed the contention that a HIPAA violation occurred, and characterized Benson's presentation as an example of how fear is used to compel liability. He said the hospital met the test of reason by instituting policies and safeguards, thoroughly training workers in its comprehensive record retention policies, immediately conducting an internal investigation, hiring an auditor to check HIPAA compliance, and notifying patients after efforts to catch the perpetrator failed.
What would be unreasonable, Thomure said, was for his clients to have no policies or procedures, no training, no internal investigation, and no audit. He said the prosecution is trying to apply the strictest standard for negligence when the ordinary standard should apply, and said if the strict standard was applied, credit card companies would shift costs to hospitals when they already are in a position to cover these losses. With healthcare costs already rising at three times the rate of inflation, a strict standard could make a bad situation worse, he said.
"I assure you the cost of healthcare will go up substantially because the plaintiff wants a perfect system," Thomure stated as part of his remarks on behalf of Bad Break.
Following the presentation, the merits of each case were evaluated by a panel that included Steven Biskupic, U.S. Attorney for the Eastern District of Wisconsin; Lorna Granger, chief legal officer and chief compliance officer for ProHealth Care; and Paul Verberne, legal counsel for HSA Bank. Only Biskupic sided with the prosecution. He noted that all criminal culpability centers on knowledge of a bad act. "If you know people's credit card bills are being run up, and you don't do anything about it, you're going to have some explaining to do," he said.
Verberne, however, noted that HIPAA doesn't require best practices, but that hospitals act reasonably. "This standard is not as rigorous as what the banking industry regularly has to face," he said.
Granger pointed out that the most sensitive information lost was not financial, but medical, which is what HIPAA is designed to protect. She said real damage would occur if a person who is HIV positive or has a sexually transmitted disease had personal medical records fall into the hands of an employer. If the strictest standard is imposed for financial losses, Granger said the cost of healthcare would rise again. "This is not the right case to allow that to happen," she stated.
Comments
Darrell Pruitt DDS responded 2 years ago: #1
Is everyone completely missing the point? Lorna Granger, the executive officer for ProHealth Care, is almost correct when she mentions that the most sensitive information at risk is not financial (as in stolen credit cards), but medical. But then again, let us consider the market value of intimate medical information for millions of Americans. It is indeed about money - Lots of money. It is always about money. Why even the governments promulgation of HIPAA itself is about money. Patient privacy is only an excuse for the expensive mandate desired more by the insurance and IT industries than the medical community.
At the beginning of this year, a hacker stole millions of dollars from major credit card companies such as Visa and Mastercard. The headline in the March 9th edition of Information Week read, PIN Scandal Worse Hack Ever; Citibank Only The Start. Compared to the value of millions of medical records, Citibank risks pennies. If a PIN is stolen, one can attain a new PIN. If the privacy of ones health record is violated, the value of the information to a thief lasts one lifetime.
Let us face it. The financial industry is woefully unable to keep hackers out. And they are using more rigorous standards than HIPAA requires. The argument of whether or not a persons medical privacy is a constitutional right may already be moot. For those who know how to profit from health information, there may already be an internet market. Criminals outside the reach of the U. S. government may already be taking advantage of its citizens. How would anyone know? When money is stolen, ultimately the evidence appears as missing money. When electronic data is stolen, nothing shows up missing.
Ms. Granger feebly suggests that harm can be done if an employer learns that an employee has HIV or a sexually transmitted disease. She is too late with her concern. As I understand HIPAA (with its absurd amendment which quietly passed in 2003), if a small company is self-insured, the boss already has legal access to the medical records of all employees; as do more than half a million other businesses which include millions of employees.
How long will it be before anyone will be able to google anyone elses medical history on the internet?
In a small town, newcomers learn to be tolerant of others differences and sympathetic to others illnesses. Will the world of the future be so kind? There is no privacy.
Darrell Pruitt DDS
At the beginning of this year, a hacker stole millions of dollars from major credit card companies such as Visa and Mastercard. The headline in the March 9th edition of Information Week read, PIN Scandal Worse Hack Ever; Citibank Only The Start. Compared to the value of millions of medical records, Citibank risks pennies. If a PIN is stolen, one can attain a new PIN. If the privacy of ones health record is violated, the value of the information to a thief lasts one lifetime.
Let us face it. The financial industry is woefully unable to keep hackers out. And they are using more rigorous standards than HIPAA requires. The argument of whether or not a persons medical privacy is a constitutional right may already be moot. For those who know how to profit from health information, there may already be an internet market. Criminals outside the reach of the U. S. government may already be taking advantage of its citizens. How would anyone know? When money is stolen, ultimately the evidence appears as missing money. When electronic data is stolen, nothing shows up missing.
Ms. Granger feebly suggests that harm can be done if an employer learns that an employee has HIV or a sexually transmitted disease. She is too late with her concern. As I understand HIPAA (with its absurd amendment which quietly passed in 2003), if a small company is self-insured, the boss already has legal access to the medical records of all employees; as do more than half a million other businesses which include millions of employees.
How long will it be before anyone will be able to google anyone elses medical history on the internet?
In a small town, newcomers learn to be tolerant of others differences and sympathetic to others illnesses. Will the world of the future be so kind? There is no privacy.
Darrell Pruitt DDS
Matthew Neuman responded 2 years ago: #2
I think the panel misinterpreted The HIPAA Security Rule. While it does call for organizations that create transmit or store electronic protected health information act reasonably, it does so in regards to implementing the required information assurance process. HIPAA specifically outlines the use if an information assurance process, which is the IT industry's best practice for ensuring data integrity and security. This is also the basis for the Gramm Leach Bliley Act and FISMA and DITSCAP processes that the Federal Government follows. So in this case the hospital would need to demonstrate that it has implemented this process and that it is following industry best practices for doing so.
Darrell Pruitt DDS responded 2 years ago: #3
Since I posted my comment concerning patient privacy almost a month ago, two serious breaches in the security of patients medical information have occurred in the United States
that we know of.
Around the time that I penned the first comment on May 9, what is said to be the largest breach of personal information in history occurred in Maryland. Incredibly, the Veterans Administration kept this news secret for two weeks after the burglary was discovered; arguably endangering the welfare of the veterans it is obligated to protect. The Chinese government tried to keep SARS a secret from its citizens -- many died needlessly. How will our government react to a crisis more serious than money?
The story that the VA is sticking to at this time is that an employee took a laptop computer home from work, and it was stolen. The personal information for 26,500,000 veterans was on that computer. When the loss was finally admitted by a representative of the VA, he said that no medical records were involved in the breach. Later, and only after being pressed, the VA admitted that up to 3,000,000 medical records were involved. And they are sticking with that figure for now. Really.
Here is something else that frightens me: On May 28th, the Associated Press obtained a memo written by privacy officer Mark Whitney to his superiors dated May 5th, two days after the burglary. Mr. Whitney, bless his heart, tried his best to put a happy face on the loss. He wrote, Given the file format used to store the data, the data may not be easily accessible."
Mr. Whitney was once a privacy officer employed by the Veterans Administration. You might catch him walking the beat at a Walmart Super Center now if they really need the help. Which bozo was responsible for hiring and training this bozo?
The other incident concerning loss of privacy occurred in a hotel in Chicago where an insurance company employee simply failed to delete business information from a hotel computer he used. The breach exposed personal data, including medical information, for 17,000 Medicare beneficiaries. It was a dumb mistake. Probably.
Then again, it could be a perfect cover for selling data. It is much more clever than stealing a computer. If the data was downloaded by a subsequent visitor to the hotel, the perpetrators will never go to jail unless one of the two really screws up. Think about it. The overhead needed to run this kind of internet information business, far outside the reach of United States authorities, is incredibly low and the profit is very high. And the risk? You have got to be kidding. What risk? There is no paper trail. There is no trail. There is only an odor. It smells like organized crime. What was that about the complicated format?
How much is the medical data for virtually everyone in the United States worth? Make a guess. And how long will its value last compared to PIN numbers? Lifetimes.
Look, I am not in the IT business. I am a dentist, husband and father. I am asking those who are responsible for watching over our interests: What are you going to do? Can you honestly tell me that the nation is ready for electronic medical records? The Bush administration says we are, yet of 19,420 grievances which have been lodged by US citizens; claiming health care entities inability to keep their medical information private, there have only been two (2) convictions.
Please give me an honest answer as a businessperson in the IT industry who may also have a spouse and two young sons. If you tell me that the nation is ready for this, God help us.
Considering what is at stake, why are we rushing to become paperless? You cannot tell me that this administration is interested in saving trees. What is so bad about the post office? It may be slower, but it is more secure than electronic transmission will ever be. I trust my mailman. He has been delivering mail to me for years.
For small business owners, like most dentists, HIPAA compliancy is even more absurd.
For every dollar a dentist raises fees to cover unproductive regulation, even if the rule does make sense, someone goes to bed with a toothache. Darrell Pruitt DDS
Around the time that I penned the first comment on May 9, what is said to be the largest breach of personal information in history occurred in Maryland. Incredibly, the Veterans Administration kept this news secret for two weeks after the burglary was discovered; arguably endangering the welfare of the veterans it is obligated to protect. The Chinese government tried to keep SARS a secret from its citizens -- many died needlessly. How will our government react to a crisis more serious than money?
The story that the VA is sticking to at this time is that an employee took a laptop computer home from work, and it was stolen. The personal information for 26,500,000 veterans was on that computer. When the loss was finally admitted by a representative of the VA, he said that no medical records were involved in the breach. Later, and only after being pressed, the VA admitted that up to 3,000,000 medical records were involved. And they are sticking with that figure for now. Really.
Here is something else that frightens me: On May 28th, the Associated Press obtained a memo written by privacy officer Mark Whitney to his superiors dated May 5th, two days after the burglary. Mr. Whitney, bless his heart, tried his best to put a happy face on the loss. He wrote, Given the file format used to store the data, the data may not be easily accessible."
Mr. Whitney was once a privacy officer employed by the Veterans Administration. You might catch him walking the beat at a Walmart Super Center now if they really need the help. Which bozo was responsible for hiring and training this bozo?
The other incident concerning loss of privacy occurred in a hotel in Chicago where an insurance company employee simply failed to delete business information from a hotel computer he used. The breach exposed personal data, including medical information, for 17,000 Medicare beneficiaries. It was a dumb mistake. Probably.
Then again, it could be a perfect cover for selling data. It is much more clever than stealing a computer. If the data was downloaded by a subsequent visitor to the hotel, the perpetrators will never go to jail unless one of the two really screws up. Think about it. The overhead needed to run this kind of internet information business, far outside the reach of United States authorities, is incredibly low and the profit is very high. And the risk? You have got to be kidding. What risk? There is no paper trail. There is no trail. There is only an odor. It smells like organized crime. What was that about the complicated format?
How much is the medical data for virtually everyone in the United States worth? Make a guess. And how long will its value last compared to PIN numbers? Lifetimes.
Look, I am not in the IT business. I am a dentist, husband and father. I am asking those who are responsible for watching over our interests: What are you going to do? Can you honestly tell me that the nation is ready for electronic medical records? The Bush administration says we are, yet of 19,420 grievances which have been lodged by US citizens; claiming health care entities inability to keep their medical information private, there have only been two (2) convictions.
Please give me an honest answer as a businessperson in the IT industry who may also have a spouse and two young sons. If you tell me that the nation is ready for this, God help us.
Considering what is at stake, why are we rushing to become paperless? You cannot tell me that this administration is interested in saving trees. What is so bad about the post office? It may be slower, but it is more secure than electronic transmission will ever be. I trust my mailman. He has been delivering mail to me for years.
For small business owners, like most dentists, HIPAA compliancy is even more absurd.
For every dollar a dentist raises fees to cover unproductive regulation, even if the rule does make sense, someone goes to bed with a toothache. Darrell Pruitt DDS
Dout Kelley responded 1 year ago: #4
Great articles on Identity Theft and compliance issues with governmental regulations that are unknown to most every employer. Thanks for sharing and instructing consumers of all kinds.
Darrell Pruitt DDS responded 1 year ago: #5
HIPAA a huge blunder in dentistry
Michael Leavitt, Secretary of HHS, should be blamed for overseeing a blunder of historical scale which very few have discovered so far. It is my contention that the HIPAA regulations, which were initially intended to protect consumers, were ambushed in 2003 by the Bush administration, and then modified to give the insurance industry even more unfair control of healthcare. The newly elected administration, in gratitude to political donors, carelessly rushed the regulation into the marketplace before considering the business risks that electronic health records pose for dentists and other healthcare professionals who maintain small, computerized practices.
Because of millions of patients whose privacy has been compromised in the loss of laptop computers, 33 states have passed breach laws. If a computer is stolen from a dentists office, and it contains patient information, the dentist is obligated by ethics, if not law, to contact each of his or her patients and tell them, Sorry, but you will have to watch your credit for a couple of years.
This will unjustly, but reliably bankrupt many dental practices. Predictably, a large percentage of informed patients will not return. Period. Some dental offices are in parts of communities where they could easily be burglarized more than once in a short period of time. Can you imagine how quickly a stolen computer, or even a misplaced USB flash drive, can destroy a practice? This is a huge blunder and a perfect example for the history books of premature legislation contaminated by political favors.
A premature HIPAA will be seen by historians as an ill-advised blunder which set back computerization in dental offices thirty years. Here is the hard part: There is no turning back. Dentists will simply go back to using pegboard, carbon paper and ledger cards since most practices are not so large that the paperwork is unmanageable. Paperless practices, once the buzzword of modernization, are bankruptcies waiting on burglars. Progress.
There is some humor in all of this, though. The paper-phobic insurance industry, which stood to win the most from HIPAA, will have to forever deal with paper or abandon dentistry. Sweet. Patients will save money and dentists will earn more as well. Darrell Pruitt DDS
Michael Leavitt, Secretary of HHS, should be blamed for overseeing a blunder of historical scale which very few have discovered so far. It is my contention that the HIPAA regulations, which were initially intended to protect consumers, were ambushed in 2003 by the Bush administration, and then modified to give the insurance industry even more unfair control of healthcare. The newly elected administration, in gratitude to political donors, carelessly rushed the regulation into the marketplace before considering the business risks that electronic health records pose for dentists and other healthcare professionals who maintain small, computerized practices.
Because of millions of patients whose privacy has been compromised in the loss of laptop computers, 33 states have passed breach laws. If a computer is stolen from a dentists office, and it contains patient information, the dentist is obligated by ethics, if not law, to contact each of his or her patients and tell them, Sorry, but you will have to watch your credit for a couple of years.
This will unjustly, but reliably bankrupt many dental practices. Predictably, a large percentage of informed patients will not return. Period. Some dental offices are in parts of communities where they could easily be burglarized more than once in a short period of time. Can you imagine how quickly a stolen computer, or even a misplaced USB flash drive, can destroy a practice? This is a huge blunder and a perfect example for the history books of premature legislation contaminated by political favors.
A premature HIPAA will be seen by historians as an ill-advised blunder which set back computerization in dental offices thirty years. Here is the hard part: There is no turning back. Dentists will simply go back to using pegboard, carbon paper and ledger cards since most practices are not so large that the paperwork is unmanageable. Paperless practices, once the buzzword of modernization, are bankruptcies waiting on burglars. Progress.
There is some humor in all of this, though. The paper-phobic insurance industry, which stood to win the most from HIPAA, will have to forever deal with paper or abandon dentistry. Sweet. Patients will save money and dentists will earn more as well. Darrell Pruitt DDS
Add Your Comment
Comment Policy: WTN News accepts comments that are on-topic and do not contain advertisements, profanity or personal attacks. Comments represent the views of the individuals who post them and do not necessarily represent the views of WTN Media or our partners, advertisers, or sources.
WTN Media cannot accept liability for the content of comments posted here or verify their accuracy. If you believe this comment section is being abused, contact edit@wistechnology.com.
Featured Stories
Advertisement
Most Popular Stories
Advertisement
Recent Blog Posts
Featured EventsMore…
More Stories
- Building tomorrow's workforce is vital to Wisconsin's economic success
- Wisconsin hospitals not shirking investment in health information technology
- Baird Venture Partners closes fund after raising $170M for capital deployment
- Downtown Madison becoming information technology haven
- Sen. Kohl announces funding for Gundersen Lutheran tech upgrade
- UWM seeks more state funding to drive research
- Woo joins UWM to direct research cyber infrastructure
- RF Technologies installs infant security solution at Waukesha Memorial
- Tushaus Computer Services enters Madison market
- Entrepreneurs need not wonder what angel investors want
- Investment Board reinforces confidence in Wisconsin's venture capital future
- Nowhere to hide: buyer behavior in a connected world
- Dairy software firm gets $100,000 tax credit
- CIO Leadership Series: Tim Schaefer, Northwestern Mutual
- University of Florida spin-off moving to Wisconsin
- Alliant Energy's flood response offers IT business continuity lessons
- Stem-cell awards come to Madison; Doyle honored
- Who's your mama?
- Debate continues on SBIR/STTR eligibility
- What do you think about the new rules under the CAN-SPAM Act?
- Merge Healthcare, undergoing restructuring, shows another loss
- VC-owned firms may qualify for federal SBIR awards
- Madison overlooked for $451 million lab amid controversy: AP
- Drug blockbusters: a measure of pharma success
- Chicago's ad:tech: The big brand idea strikes back for advertising
- NovaScan faces crossroads in commercialization
WTN Media Presents
