Managing a health data breach with a response plan
- Some organizations say they’re going to improve security after an incident. David Dover, Privacy and Security Officer at Alere Inc., can attest that his organization did make the effort to augment their security approach following a data breach at Alere Home Monitoring, Inc. in fall of 2012.
Alere Home Monitoring, one of its subdivisions and a HIPAA covered entity, reported the breach on Nov. 9, 2012 that an employee’s unencrypted laptop was stolen from their car and more than 100,000 patients’ data was potentially compromised. Dover said Alere had already planned on bringing in a new product to aid security, but the data breach was a catalyst for getting a product in place a little faster. Dover and Alere started using Co3 Systems, a Software as a Service (SaaS) application to help organizations better prepare for and manage security incidents, around September 2012.
Co3, like other breach response applications on the market, includes privacy module that’s aware of all federal and state privacy-related regulations and a security module that has best practices for different types of security incidents, such as a DDoS attack or malware outbreak. Across the two modules, Co3 is able to match up an organization’s breach information to generate detailed data breach response plans. In the instance of a malware outbreak, it would be able to perform tasks such as identify and quarantine the affected end points (if protected health information was involved), analyze the malware involved, notify the state insurance commissioner, notify the affected patients and notify the states’ attorney generals.
In all, Alere has 14 different HIPAA governed entities and some are covered entities like Home Monitoring and some are business associates (BAs) such as Standing Stone, Inc. Each of these entities has their own local privacy officer and Dover explained that some of these officers have many different hats and are attorneys or chief financial officers (CFOs). Because, for example, the attorney privacy officer would hand-write everything down or the CFO would put everything in Microsoft Excel, Dover and Alere needed a consistent log process where Dover could import and export charts to see where our risks were. After reporting the Home Monitoring breach to the Department of Health and Human Services (HHS), there were some compliance gaps that Co3 helped fill.
We use the Co3 application to document information involved in an incident as well as document the State of residency for each member whose data was involved. In the stolen laptop incident, there were some things we already knew, such as we knew we had to report the incident to HHS and we knew we had to provide credit monitoring to the affected patients. But one of the things that wasn’t immediately apparent to me was that some States required notification to their individual State Attorney Generals. Having the CO3 recommendations helped prevent us from overlooking any of our reporting obligations.
Alere’s quick response to the breach with the knowledge that its decisions affect 14 different HIPAA-governed entities makes life easier for Dover. “We try to be careful about spending, but privacy and security is a priority for a diverse organization such as Alere,” Dover said. “But getting money for [new products] sometimes takes longer than I’d like. An incident such as the stolen laptop was of high importance to our senior management team and they wanted to prevent the incident from happening again at that location and at all the others.”
