They may not know it, but managed care organizations have the makings of a good episode of The Sopranos lurking in their offices.
Imagine a rogue employee who quietly downloads countless customer files containing private medical information — names, procedures, medications, related claims data — which are then sold and resold across the globe. Or imagine that a few laptops containing much of the same type of data fall into the wrong hands.
Such security breaches are increasingly making headlines as banks, brokerages, and even government offices grapple with such embarrassing and damaging thefts. This scenario — which could make a shady character like Tony Soprano a nice amount of cash — could be a nightmare for a health plan.
Really bad for business
Beyond the momentary negative publicity, a security breach can easily invite regulatory scrutiny, prompt questions about the ability of a managed care organization to monitor other aspects of its operations and, ultimately, erode customer confidence. Then there's the ever-present potential for lawsuits. In other words, it's a quick way to lose business.
"Managed care has to stay on top of this, because a breach could reinforce the impression that these companies can't be trusted. After all, managed care organizations are in the public trust business, like it or not," says Mark Frisse, a professor of bioinformatics at the Center for Better Health at Vanderbilt University.
"If you're a chief medical officer and you're responsible for clinical trial data, you've got to ensure patient privacy. And people who want to be in the disease management business, and keep their jobs, had better be concerned with the security and confidentiality of personal health information. Why would people want to do business with you if they have to worry about a breach of personal information?"
At first blush, the vast majority of patient files may not appear to have much, if any, currency. Unlike credit card numbers, which can be used to purchase goods and services, it would seem that there isn't much advantage to having, say, someone's personal medication record in hand. But experts say that's not really true.
Such reasoning flies out the window if the private medical records belonging to a well-known person — possibly a celebrity, a politician, or an athlete — are stolen. Such data can have enormous currency. Imagine losing lab reports for a cyclist or baseball player caught up in a steroid scandal? Or the prescription-drug history for a candidate in a congressional race?
By the same token, ordinary people may feel vulnerable if potentially revealing information — claims showing HIV testing, for instance — is somehow divulged to an employer, insurer, or soon-to-be ex-spouse. Famous or not, the unexpected release of private health information can make anyone feel like a victim.
Last year, Kaiser Permanente paid a $200,000 fine for leaving sensitive patient information on a publicly accessible Web site. Data including lab results of 150 patients were posted for more than a year, according to published reports.
"There's no average Joe in this situation," explains David Lansky, senior director of the health program at the Markle Foundation, a not-for-profit organization in New York that specializes in studying how information technology affects society, particularly in national security and heath care.
"Privacy matters most when somebody has a reason to care about it," he continues. "It's not hard to imagine someone with a condition he wants to keep private from others, such as a family member or an employer. Our own focus groups show that many people feel their health records are 'sacred.' That tells you something."
Cause for concern
In fact, 67 percent of those asked are "somewhat" or "very concerned" about the privacy of their personal medical records, according to a survey conducted last year by the California HealthCare Foundation. And 52 percent were "somewhat" or "very concerned" that data from claims may be used by an employer to limit job opportunities.
Such concerns seem warranted. Between February 2005 and October 2006, nearly 350 breaches occurred at corporations, institutions, and government agencies in the United States, resulting in 93.7 million records containing sensitive personal data being compromised, according to the Privacy Rights Clearinghouse, a not-for-profit organization in San Diego.
Most breaches took place at financial-services companies, government offices, and universities, although the list included more than a dozen hospitals, a pharmacy benefit manager, a couple of laboratories, a large physician group practice, and several health plans. In some instances, patient records were compromised, according to the clearinghouse.
"Unlike purely financial forms of identity theft, medical identity theft may also harm its victims by creating false entries in their health records at hospitals, doctors' offices, pharmacies, and insurance companies," says a report written by Pam Dixon of the World Privacy Forum, a not-for-profit organization in California.
"Sometimes, the changes are put in files intentionally," she says. "Sometimes, the changes are secondary consequences of the theft. The changes made to victims' medical files and histories can remain for years, and may not ever be corrected or discovered."
The point is underscored by a recent survey of health care organizations — hospitals, doctor groups, and insurers — by PricewaterhouseCoopers. Nearly half reported having had one or more negative events related to information security during the past year. When asked the source of these breaches, half said employees, 18 percent said former employees, and 44 percent said hackers.
About one quarter of the 237 respondents were health plans. Of the rest, only 11 percent said they were "very confident" in the information security standards of their third-party partner and another 11 percent were "not at all confident."
To cope, health care organizations are starting to devote more resources to the problem. Fifty-two percent are spending more this year on information security, with 17 percent boosting those dollars by double-digit rates. Even so, 44 percent of the respondents said they don't have an overall information security strategy.
Meanwhile, 45.3 percent of U.S. respondents now employ a chief privacy officer, compared with 15.6 percent in all industries (see below). Sixty-three percent post their privacy policies on an internal Web site, 56 percent post the policies on an external Web site, and nearly three quarters review these policies each year.
The problem is likely to grow, however, as the federal government and the states, along with private industry, continue to push for sharing confidential health information, according to Thomas Burke, a partner at the law firm of Davis Wright Tremaine in San Francisco. He has an Internet law practice that focuses on online security issues.
"I know that our chief medical officers feel vulnerable," says Allan Korn, a senior vice president and chief medical officer at the Blue Cross Blue Shield Association in Chicago. "The challenge will get even tougher when everyone gets complete connectivity and fluidity. And that's a very big concern."
At the same time, there is a plethora of federal and state laws governing the disclosure of health care data. A ground-breaking California statute, for instance, requires a managed care organization to inform its customers of any incident in which private information is compromised. Other states have followed suit. And the notification process, itself, can be expensive.
While the Health Insurance Portability and Accountability Act of 1996 (HIPAA) doesn't automatically confer the right to file a lawsuit over improper disclosure of health data, Burke points out that the law also doesn't preclude other legal remedies from being pursued if someone is damaged by disclosure.
"The lawsuits haven't happened yet, and I'm not sure they will," says Burke. "Right now, the largest risk is the bad publicity that can follow a breach. Reputations can be hard to shake. But eventually, I think there will be a plaintiffs' bar that will develop to press such cases."
Standard of care
Naturally, prevention is the key to avoiding bad publicity, expensive litigation, and lost business. However, knowing where to start, choosing the right steps, and then implementing these decisions takes a concerted, companywide effort, according to experts. They all agree, however, that managed care must repeat this mantra: Adopt a standard of care.
"There are several things that can be done," says Drew Bartkiewicz, assistant vice president for technology errors and omissions liability insurance at Darwin Professional Underwriters, a specialty insurance company that specializes in dealing with managed care organizations.
"The rogue employee can cause a lot of exposure," he continues. "You need to screen employees for previous data incidents. Always check to ensure that security protocols are in place to secure your network. And make sure employees aren't doing massive downloads or viewing data inappropriately."
The potential problem is magnified, though, by the growing trend to outsource certain functions, particularly in the information technology departments. For that reason, Bartkiewicz advises health plans to be certain that their subcontractors are fully insured against any data breaches.
As a result, a managed care organization needs to demonstrate a good track record, conduct regular, third-party audits, maintain a central network management, and have written agreements with employees showing that employees must protect data. Even so, a large managed care organization can expect to pay about $200,000 in annual premiums for between $5 million and $10 million in coverage for network security issues, including data breaches.
But what does the health plan do if a breach occurs?
Are you insured?
Burke suggests a few common-sense steps. Start by conducting an investigation of the incident and have the person overseeing the effort report to a senior executive. Safeguard documents, and be prepared to hire computer experts. Don't forget to examine insurance coverage closely.
The insurer must also decide whether to include in-house or external lawyers, and how any possible criminal violation may affect confidential communications. By the same token, Burke points out that there may be requirements to disclose the episode to regulators, shareholders, auditors, and law enforcement.
Finally, it may be necessary to punish employees, update computer security, and require additional employee training. Don't forget that follow-up reports may be required. Disclosing the steps taken to correct the breach — and to prevent further breaches — can go a long way toward rebuilding confidence.
"This whole field of medical identity theft is growing up all around us," says Lansky. "As more medical data goes online, the risk of a breach goes up. And we also know that people will be very creative about going after that information."