December 20, 2012, 12:53 PM — Data breaches are unfortunately not uncommon in the healthcare industry. In the last three years, more than 500 breaches affecting 500 or more patient records have been reported to the Office for Civil Rights (OCR)within the U.S. Department of Health and Human Services. OCR estimates that close to 60,000 smaller breaches have occurred in the same timeframe.
Most data breaches begin with a moment of, "You're not going to believe what just happened," says Robert Belfort, a partner with Manatt, Phelps & Phillips LLP. It could be a CD with patient data that goes missing from a storage firm when the employee who signs for it suddenly resigns, or it could be a laptop taken from a car parked in an otherwise nondescript residential neighborhood.
Both incidents are real; the latter occurred in 2011 and involved the Massachusetts eHealth Collaborative ( MAeHC), a small nonprofit that's nonetheless active in influencing national healthcare IT policy. Given the organization's role, "It was no small embarrassment to find out that we had make some critical mistakes," CEO Micky Tripathi says.
What to Do If You're a Victim of a Healthcare Data Breach
Once an incident is discovered, the first step is determining if a breach actually happened. That's no small task, Belfort says, as there are differences between data breaches and system vulnerabilities or violations of an organization's security policy. Vulnerabilities and violations should be noted, both for auditing purposes and to educate employees about data security, but they don't automatically constitute breaches.