Project Mission and Scope

Project Mission and Scope

Presented By:

Rick KamPresident/Co-Founder

ID Experts

Advisory Committee MeetingMarch 17, 2011

March 17, 2011 Advisory Committee Meeting Slide 2

The Problem

What is the Financial Impact of the

Unauthorized Disclosure of PHI/PII?


Man Paid Hospital Employee forPatient Records in Las Vegas Scam

In 2009, Richard Charette paid a University Medical Center supervisor $9,200 for 55 patient record face sheets

Used PHI to solicit business for Las Vegas chiropractors and personal injury lawyers

FBI learned of scam from an “unidentified” chiropractor On Feb. 1, 2011, Charatte pleaded guilty, and could serve

5 years in prison, pay $250,000 fine UMC and Charatte named in potential class-action lawsuit

for victims State Bar of Nevada is also investigating


Computer Flash Drive with PHI “Misplaced”

A flash drive with the PHI of 280,000 people, including Medicaid recipients, was reported “missing” from the offices of affiliated insurers Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in Pennsylvania

Flash drive had been used at community health fairs Insurers reported breach to the Penn. Dept. of Welfare;

notified affected population “This is a particularly vulnerable group of people [who]

tend to be vulnerable to identity theft, vulnerable to discrimination.” — Dr. Deborah Peel, founder of Patient Privacy Rights1

No reported misuse of PHI


Failure to Secure PHI and to Notify Costly for Health Net of Connecticut

In 2009, an unencrypted portable disk drive with the PHI and financial information of 1.5 million patients disappeared

Health Net did not notify authorities or affected population for at least six months

In 2010, Connecticut AG sued Health Net First action by a state AG for violating HIPAA since

HITECH Health Net settled for $250,000 Created a $500,000 reserve for victim’s claims

Connecticut Insurance Dept. fined Health Net $375,000 In 2011, Health Net also settled a complaint with the

Vermont AG for $55,000


The Rising Cost and Frequency of Healthcare Data Breaches

Ponemon Institute: Data breaches are costing hospitals nearly $6 billion a year1

Medical-related data breaches listed in Privacy Rights Clearinghouse2: 116 breaches listed in 2007-2008 229 breaches listed in 2009-2010

86% of large-hospital employees surveyed believe that the number of data breaches discovered will increase under HITECH3

The Department of Justice secured “$2.5 billion in health care fraud recoveries—the largest in history,” for the fiscal year ending 9-30-2010.4

1- Source: Benchmark Study on Patient Privacy and Data Security, November 9, 2010, Ponemon Institute LLC. 2- Source: http://www.privacyrights.org/3- Source: 2009 HIMSS Analytics Report:“Taking a Pulse on HITECH, Are Hospitals and Business Associates Ready?” November 17, 2009.4- Source: Department of Justice, November 22, 2010, http://www.justice.gov/opa/pr/2010/November/10-civ-1335.html


HITECH ACT – HIPAA 2.0

State Security Breach Notification

Proposed Legislation Carper/Bennett: Data Security Act Pryor/Rockefeller: Data Security and Breach

Notification Act

Current/Proposed Laws


Risk Equation

Financial ImpactOf ID Theft

SSNAccount Number

$4,841*

*Javelin Research: Mean Fraud Amount: 2010 Identity Fraud Survey Report


Risk Equation

Financial ImpactOf “Medical” ID Theft

SSNHealth Insurance #

$20,000*

*Ponemon Institute: National Survey on Medical Identity Theft, Feb 2010


Risk Equation

Financial Impact

DiagnosisPrescriptionSpecialistProcedure

Unknown


CPO @ Notable Health System

“Unless an institution has suffered a major data breach and experienced the attendant costs—fiscal, operational and reputational—it is difficult to get senior management to give a reasonable priority to information security among all of the competing needs.

The “cost” of the possible misuse of medical information is particularly difficult to conceptualize under the circumstances of any particular data loss event.

Having more concrete data on the true costs of data breaches can provide a better perspective from which to evaluate those decisions.”


Project Approach

Based on ANSI and SFG prior projects:

Victim’s Bill of Rights (2009)

Financial Impact of Cyber Risk (2008)

Financial Management of Cyber Risk (2010)


Approach

Collaboration of “Experts” from Government Industry Academia Standards

Facilitated by ANSI and the Santa-Fe-Group


Deliverable

White Paper


Possible Deliverables

List of common PHI/PII data elements

Identification of common “high risk” PHI/PII

Use cases of unauthorized disclosure of PHI/PII

Approaches to determine financial impact of unauthorized disclosure of PHI/PII

Project Mission and Scope

Documents

Transcript of Project Mission and Scope