When it comes to Healthcare Data Breaches, DIY is Not the Answer

Everybody knows “that guy.” That guy who every time you see him he is telling you about his latest do-it-yourself (DIY) project. Last week he replaced the air conditioner is his car, this week he is redoing all the plumbing at the river cabin, and today he is all excited about rewiring his home office to accommodate internet video, Wi-Fi and 3D TV. Admirable, but sometimes annoying. I must admit I have been “that guy” from time to time, having done a complete and total remodel of my man cave several years ago. What started as a simple upgrade of a basement…new carpets, new paint, etc….turned into a home theatre room, pool hall, and wet bar, complete with a kitchen, exercise room and newly installed bathroom. While wearing out a path to and from Home Depot, I managed to trial and error my way through it. So today I can proudly walk people through my new space, carefully articulating how I managed to gang together the six dimmer switches in a series.

But I usually leave out the part where I almost killed my neighbor when I accidentally pulled the trigger on the compressed air nail gun and shot a 3 inch nail through the sheetrock into the next room. I also rarely mention that I almost electrocuted my father-in-law when I shorted the 4 wire cable he was holding onto the main bus in the electrical breaker panel. The point is, some things are better left to a knowledgeable, experienced, certified, trained professional.

Such is the case when we start talking about managing all the implications of a data breach, the inadvertent or willful loss of private, sensitive, personal data. This is especially true in healthcare, where the data can be particularly sensitive and can place the victims in harm’s way for medical identity theft. Way too often we see organizations (or to appropriately make it more personal, senior managers in those organizations) decide that, “Oh, it was just a lost laptop and the chances of anything really bad happening is pretty small…so let’s just handle it ourselves.”

Bad move. Here’s what happens next. You issue a “quiet” press release (most likely on a Friday night when you hope no one is noticing) saying that a mobile device holding patient identities and patient health records has been inadvertently misplaced. But since the chances that the actual data will be discovered and inappropriately used is remote, you see no need to notify the patients involved in the breach and there is certainly no need to offer any identity monitoring or other consumer/patient protection. 

Next thing you know, the press is calling asking for details (which you have none because you haven’t even started the forensic investigation to determine exactly what was lost) and your CEO is quoted saying something equivalent to “It’s no big deal.” The press immediately translates that quote into “We don’t care” and your reputation as a healthcare organization that is all about patient care starts to spiral.

Next, the authorities start to call asking about HIPAA and HITECH compliance and you suddenly realize you can be fined up to $1 million for this incident. Then the individual state attorney general’s offices start to call and you realize this is out of control.

Just as you are picking up the phone to call the breach professionals, your chief counsel calls and tells you a class action lawsuit has just been filed for $10 million.

So if you are ever tempted to DIY your next breach incidents, try to remember “that guy.” It is one thing to try and train yourself on all the HIPAA compliance issues. It is quite another to risk your organizations hard fought reputation with a DIY, trial and error approach.