In Aug. 2009, a laptop belonging to an employee of Blue Cross/Blue Shield was stolen from a car in Chicago. While laptops are stolen in the United States all of the time (every 12 seconds, according to FBI and insurance sources), this laptop reportedly contained something pretty valuable — and pretty alarming: the name, address, tax ID and national provider number (NPI) of 850,000 physicians.
The episode apparently occurred on Aug. 8, 2009, but was not revealed publicly by BC/BS until Oct. 2, 2009 (according to datalossdb.org). It was reported widely in several national publications in October, including by the AMA (amednews.com), by InformationWeek Healthcare (informationweek.com) and by FierceCIO (fiercecio.com).
This incident is concerning for several reasons:
1. While 850,000 represents only a fraction of the total number of providers in the United States, the sheer number of records involved is very concerning.
2. Many providers use their Social Security number as their tax ID and/or NPI. This increases the risk of identity theft and other forms of financial fraud.
3. This didn't happen to an unknown corner drug store or a new medicinal marijuana clinic, which might be thought to have few resources to deal with IT and data security. It happened to one of the largest and well-known payor networks. One would expect that both the skill level and the means to prevent this type of incident would exist at an organization such as BC/BS.
4. Apparently this type of episode is either too commonplace or too obscure to be noticed or understood by physicians. In checking with physicians that we know, very few seem to even know about the breach, even though it was reported widely as indicated above. Even when informed of the story, few seem to want to take the initiative to find out if their information was contained on the laptop, even though virtually every practicing U.S. physician probably has an instance in the "Blues" database.
With increased adoption being promoted because of ARRA/HITECH, the technical skill level of many implementation resources is becoming more of a concern. In addition, there are many other technical and operational concerns, because of the increased availability and lowered costs of high bandwidth data circuits, high-capacity portable storage devices, the proliferation of portable devices such as smartphones and PDAs, wireless networks with easily defeated security, and a host of other issues.
This incident, and similar ones that are being reported virtually every day, should cause all healthcare entities to increase their vigilance around data security. The HIPAA Security Rule, which most medical entities seem to largely ignore, represents a good framework to prevent and minimize these types of data breaches. Even though there was no patient data (EPHI) involved in this incident, the same principles should be applied to the business side of any practice's or ASC's data store.
Marion K. Jenkins, PhD, is founder and CEO of QSE Technologies, which provides IT consulting and implementation services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.
The episode apparently occurred on Aug. 8, 2009, but was not revealed publicly by BC/BS until Oct. 2, 2009 (according to datalossdb.org). It was reported widely in several national publications in October, including by the AMA (amednews.com), by InformationWeek Healthcare (informationweek.com) and by FierceCIO (fiercecio.com).
This incident is concerning for several reasons:
1. While 850,000 represents only a fraction of the total number of providers in the United States, the sheer number of records involved is very concerning.
2. Many providers use their Social Security number as their tax ID and/or NPI. This increases the risk of identity theft and other forms of financial fraud.
3. This didn't happen to an unknown corner drug store or a new medicinal marijuana clinic, which might be thought to have few resources to deal with IT and data security. It happened to one of the largest and well-known payor networks. One would expect that both the skill level and the means to prevent this type of incident would exist at an organization such as BC/BS.
4. Apparently this type of episode is either too commonplace or too obscure to be noticed or understood by physicians. In checking with physicians that we know, very few seem to even know about the breach, even though it was reported widely as indicated above. Even when informed of the story, few seem to want to take the initiative to find out if their information was contained on the laptop, even though virtually every practicing U.S. physician probably has an instance in the "Blues" database.
With increased adoption being promoted because of ARRA/HITECH, the technical skill level of many implementation resources is becoming more of a concern. In addition, there are many other technical and operational concerns, because of the increased availability and lowered costs of high bandwidth data circuits, high-capacity portable storage devices, the proliferation of portable devices such as smartphones and PDAs, wireless networks with easily defeated security, and a host of other issues.
This incident, and similar ones that are being reported virtually every day, should cause all healthcare entities to increase their vigilance around data security. The HIPAA Security Rule, which most medical entities seem to largely ignore, represents a good framework to prevent and minimize these types of data breaches. Even though there was no patient data (EPHI) involved in this incident, the same principles should be applied to the business side of any practice's or ASC's data store.
Marion K. Jenkins, PhD, is founder and CEO of QSE Technologies, which provides IT consulting and implementation services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.