Penalty for Loss of Patient Data an Insult to Victims
Cryptzone says on BlueCross BlueShield losing 57 HDDs.
This is a Press Release edited by StorageNewsletter.com on March 22, 2012 at 3:04 pmCommenting on a $1.5 million penalty handed down to BlueCross BlueShield for the 2009 theft of 57 unencrypted hard drives from the US health insurer, Cryptzone Group AB says that the real penalty has been borne by the million-plus customers whose personal information was stolen.
Daniel Nilsson, Chief Business Development Officer for the European IT threat mitigation specialist, says that the loss of the patient data – which included their names, US Social Security numbers, dates of birth, health plan IDs and diagnosis information – was a gross invasion of privacy for the customers concerned and will have been worrying to many of the more vulnerable, including the long-term unwell and elderly amongst them.
"Frankly, if I were a client of this health insurer, I would feel aggrieved and insulted that my personal details – including the health problems I was being treated for – were worth less than $1.50 per patient. If this had happened in Europe under the proposed EU data breach penalties, the federation of 38 insurers could have been fined up to 2.0 per cent of its turnover, which is estimated to be at least $400 million," he said.
"That gives a maximum penalty of $8 million, although some newswire reports suggest that BlueCross BlueShield has spent more than twice this amount remediating its systems over the problem, so this incident – as well as hammering the insurer’s reputation – will impact on the firm’s bottom line," he added.
The Cryptzone Business Development Officer went on to say that because health data on customers was involved, it is almost certain an EU penalty under the proposed data breach regulations would have been close to the maximum.
But, he says, the US penalty doesn’t end there, as there is a strong likelihood of a private class action lawsuit being launched by customers of the health insurer, resulting in a third saga of embarrassment for the firm.
The first embarrassment, he adds, was when the incident occurred back in 2009 and the embarrassment has been brought back to the boil with the 1.5 million penalty from the federal US government.
If a class action is brought against the healthcare insurer, then this will be a third phase of public embarrassment. And all the time the rating of the firm amongst its existing – and potential new – customers is taking a hit, he explained.
Nilsson says that, whilst it’s clear that the failure to encrypt and protect the data on the hard drives was a breach of the Health Insurance Portability and Accountability Act, the longer-term consequences beyond the fine are likely to run into the tens – if not hundreds – of millions of dollars, as the insurer will have lost many of its existing customers forever.
"And then there is the difficult-to-quantify issue of potential new clients who will look elsewhere for their healthcare services in the competitive US market. Today’s consumers are very price conscious, but they are also sufficiently savvy enough to realise that the loss of their data is a potentially serious matter on several fronts," he said.
"The case will hopefully act as a wake-up call to any company – and not just in the US healthcare arena – that has not installed a secure set of defences to protect its data assets. It’s important that the case sends out the message that it is far from okay for companies to take a casual attitude towards data security, regardless of whether the data is customer or staff related," he added.