Do you backup your data? Excellent! Do you use encryption software to protect its contents? Not doing so means that you’ve joined the “Data Breach Club,” where the chances of a data breach are not an “if” but “when.” Take Kmart as an example, which had a data breach because a thief robbed one of its store at gunpoint.
Nobody Expects their Data Backup to be Stolen
When I first heard that Kmart had to publicize a data breach because of HIPAA regulations, it hit me like a bag of surrealistic bricks (Kmart and HIPAA/HITECH?). But, I remembered that many Kmart locations also include a pharmacy. The story, as storefrontbacktalk.com describes it, is as follows:
On March 17, an armed robbery took place at a Little Rock, Arkansas Kmart. The assault took about an hour after closing time, and the perpetrator pointed a gun to the assistant store manager and forced him to open the store safe. The thief wiped it clean, which included $6,000 in cash and a backup disk.
The backup disk contained “full names, addresses, dates of birth, prescription numbers, prescribers, insurance cardholder IDs and drug names for some 788 customers” and, in certain cases, SSNs as well (well, more than a few. The spokesperson noted it was a “few hundred customers.”
Aside from the obvious mistakes, the spokesperson made two additional observations: (1) that accessing the customers’ information “is slim to none, because you would need to know what software package” was used, and (2) that they were quick in contacting customers because they did so in about a month, as opposed to the 60 days that they’re given.
Data Breach Possibility, Slim to None: Only If You Used Encryption
The observation that accessing customers’ information is slim to none is debatable at best. It is slim to none because chances are the thief is not going to look. Generally, when a laptop gets stolen, it’s wiped and reformatted for sale (at least, that’s the reigning consensus). One assumes the same would hold for disk drives used as backups.
Then again, we must remember that this disk drive was inside a safe. That already suggests that something valuable is stored in it. Under the circumstances, what are the chances that the thief will ignore the suggestion that it’s worth his while to see what’s in it?
And, if he does, then the odds of a data breach are not really slim to none: freely available software from the internet can be used to scan a disks contents for particular information, like Social Security numbers (either as a pattern of 000-00-0000 or as a string of 9 numbers).
Only in the event that encryption is used can one confidently declare that particular breach is nearly riskless.
HIPAA Data Breaches and Unreasonable Delays: You (Don’t Really) Have 60 Days to Report It
One of the more misinformed statements I’ve read is the following:
Asked why the delay [a little over one month], Sears spokesperson Shannelle Armstrong-Fowler pointed out that the chain moved much more quickly than the law requires. “Under HIPAA guidelines, 60 days are available for a health care entity to investigate and report on a potential breach. We completed our investigation and notified customers in approximately thirty days,” she said.
This is entirely correct as well as partially true (what, you say? That sounds like a contradiction? Read on). As the Department of Health and Human Services (HHS) has pointed out in various publications, a breached entity must contact affected patients within 60 calendar days. However, it has noted that the HIPAA covered-entity must also contact patients as soon as possible. In a previous post (Does HIPAA / HITCH Really Give You 60 Days For Patient Notification?), I wrote the following:
It behooves administrators for a HIPAA-covered entity to take a good look at the HHS’s opinions on the matter of data breaches and notifications. The 60-day limit is an “upper limit” and covered entities are expected to contact patients ASAP.
and supported the argument by noting the following passages from the Federal Register:
“…if a covered entity learns of an impermissible use or disclosure but unreasonably allows the investigation to lag for 30 days, this would constitute an unreasonable delay.”
“…if a covered entity has compiled the information necessary to provide notification to individuals on day 10 but waits until day 60 to send the notifications, it would constitute an unreasonable delay despite the fact that the covered entity has provided notification within 60 days.”
If the HHS Office of Civil Rights (OCR) were to conduct an audit and were to find that Kmart had unnecessary delayed contacting patients, it could mean severe legal repercussions for the wholesaler. Under HIPAA, 60 days is not really 60 days.
I’m no PR expert, but it seems to me that the spokeswoman should have focused on stating that they had to conduct an investigation, couldn’t finish it any sooner, and notified its customers as soon as possible.
Of course, when you consider that the stolen disk affected 788 Kmart customers, one wonders whether they couldn’t have been notified any sooner, and whether 30 days was really necessary. I’ve certainly seen situations where even more people were affected and notification letters were sent in a couple of weeks.
On the other hand, I’ve seen the inverse as well. The trick, it seems, is to design your systems with the possibility that a data breach will occur. By doing so, processes for a quick recovery are implemented.
For example, the reporting engine in AlertBoot Mobile Security allows one to easily generate mobile security audit and incident reports. It’s used by many of our clients to prove compliance with laws and regulations in the event a mobile device (like a smartphone or a tablet) or a laptop computer is lost or stolen.
Related Articles and Sites: