RESPONDING TO DATA THEFT

1

• RESPONDING TO DATA THEFT
• March 30, 2007

Nancy Davis, MS, RHIA Chrisann Lemery, MS, RHIA
2
Data Theft in Healthcare

• Healthcare organizations are particularly
  vulnerable to identity theft crime due to the
  wealth of individual's personal, demographic, and
  financial information that is collected,
  transmitted, and maintained in the course of
  operations.

3
Risk to Healthcare Organizations

• Loss of Reputation and Erosion of Trust by
  Patient/Insured(s) Other Stakeholders
• Harm to a Patient/Insured(s)
• Harm to Workforce Members
• Regulatory or Accrediting Scrutiny
• Penalties/Financial Sanctions/ Lawsuits

4
Responding to a Data Theft Event

• Identify a Response Team
• Complete Security Incident Response or Risk
  Management Occurrence Report
• Determine Internal External Steps
• Notify Stakeholders
• Obtain External Guidance

5
Responding to Event Response Team

• Administration
• Privacy Officer
• Security Officer
• Risk Management/Internal Audit
• Compliance Officer
• Chief Information Officer

6
Responding to Event - Actions

• Add to Response Team as needed
• Public Relations
• Legal Counsel (Internal or External)
• Human Resources
• Facility Security/Plant Operations

7
Initiate Security Incident Report (SIR)

• Record Name Contact Information of Reporter
• Gather Description of Event
• Identify Location of Event
• Identify System/Application/ePHI Compromised

8
Responding to Event Actions

• Carry Out Information Technology Forensic
  Investigation
• Identify Pertinent Records
• Content
• Number of people affected
• Business Associate records
• Sequester Pertinent Records

9
Responding to Event Actions

• Identify Source Responsible
• Vendor
• Business associate agreement provisions
• Employee
• Workforce member
• Background check information
• Training received
• Sanction

10
Responding to Event Actions

• Identify Source Responsible
• Thief
• Crime of opportunity
• Targeted
• Offer Reward

11
Responding to Event Actions

• Notify Legal Counsel
• Notify Organizations Insurance Carrier
• Suspend Billing
• Determine Impact

12
Responding to Event Impact

• Data elements compromised
• Name, address, telephone number
• Date of birth
• Social Security Number
• Clinical information (diagnoses, lab values,etc.)
• Sources relationship (vendor, workforce member,
  visitor, etc.)

13
Data Elements
14
Combinations Notification?

• Name Phone Number Address ?
• Name DOB ICD-9-CM Diagnosis ?
• MR SSN Dates of Service ?
• Full Face Images Dates of Service ?

15
Notification Risk-Benefit Analysis

• Regulatory Notification Requirements
• Type of Information Disclosed
• Potential for Harm to Patient/Insured(s)
• Timing
• (Date Loss/Theft Occurred Reported)
• Circumstances (Loss, Targeted Theft vs. Crime of
  Opportunity)

16
Notification Risk-Benefit Analysis

• Likelihood of Public Disclosure by Other Sources
  (Law Enforcement, Licensing or Accrediting
  Agency, Media, etc.).
• Recommendation from Legal Counsel, Law
  Enforcement, Vendors (if involved).
• History of Notification with Similar Losses/
  Thefts.

17
Responding to Event Public Relations

• Assess severity of the incident from a Public
  Relations perspective
• Number of people affected
• Information breached
• Media interest
• Risk to organization

18
Responding to Event Public Relations

• Decide audiences to receive communication and the
  vehicle to communicate
• Victims, employees, board, media (regional,
  national), others
• Telephone, email, face to face, printed
  materials, website
• Develop communication materials

19
Responding to Event Public Relations

• Notify Victim(s)
• Time Frame
• Determine vehicle of communication
• Assistance to Victim

20
Assistance to the Victim

• Recommend placing a fraud alert on credit cards
• Offer credit monitoring
• Provide contact (name, title, telephone number)
• Offer review designated record set
• Make available guidance
• Helpful tools
• FTC documents

21
Responding to Event Organizations
Notification toLaw Enforcement/Agencies

• Local Law Enforcement
• Must be Aware of State Statutes
• Coordination of Notification
• Federal Trade Commission
• Other Agencies

22
Assisting Victim FTC Publications

• ID Theft Whats It All About
• Take Charge Fighting Back Against Identity
  Theft
• ID Theft Affidavit
• Identity Crisis What to do If Your Identity if
  Stolen
• Many Publications Available in Spanish

23
Communication to Others

• Media Statement
• Employee Notification
• Members Not Affected
• Business Associates
• Corporate Stakeholders
• State Agencies

24
Responding to Event Follow-Up

• Evaluation (Post-Mortem)
• Identify and Implement new or revised policies
  and procedures
• Process PHI Amendments
• As Appropriate

25
Finalize Security Incident Report (SIR)

• Description of event include location
  compromised information
• Evidence
• Business Associate Agreement
• Police report
• Communication about event
• Documentation of response team

26
Resource/Reference List

• Federal Trade Commission
• Identity Theft
• http//www.consumer.gov/idtheft/
• AHIMA Identity Theft Practice Brief
• Published April, 2005

27
Resource/Reference List Continued

• U.S. Department of Justice http//www.usdoj.gov/fr
  aud
• Social Security Administration http//www.ssa.gov/
  pubs/idtheft

28
Resource/Reference List Continued

• Identity Theft Resource http//www.idtheftcenter
  .org
• Fight Identity Theft http//www.fightidentitythe
  ft.com
• Privacy Rights Clearinghouse
  http//www.privacyrights.org/identity.htm

29
Personal Protection Tips Protect Your Good Name

• https//www.optoutprescreen.com
• Remove Name From Pre-approved Credit Mailing
  Lists
• https//www.annualcreditreport.com
• Only Legitimate Site to Request One FREE Credit
  Report a Year

30
Nancy Davis DavisN_at_ministryhealth.org.Chrisann
Lemeryclemery_at_weatrustcom.
Thank you!