Lessons learned when Health IT advisory company realizes own vulnerabilities

A consulting firm well-versed in the importance of health information privacy was forced to dive deep into the murky issues surrounding health information security when it experienced a breach of its own, Micky Tripathi said during a Dec. 14 presentation at the Privacy and Security Forum hosted by the Health Information and Management Systems Society and Healthcare IT News.

The Massachusetts eHealth Collaborative (MeHC) is a nonprofit health IT advisory and professional services corporation headquartered in Boston.  In 2011, while working on a project to migrate data from a practice management system to a new EHR system, an employee was engaged in the arduous task of reconciling erroneous records. Unable to complete the task at the practice, the employee downloaded the files to a company-owned laptop. The laptop was left in a car parked in a residential area and stolen, along with personal health information (PHI) on 14,000 patients.

“We’re in this business,” said Tripathi, MeHC president and CEO. “We provide policy guidance at the federal level. It was no small embarrassment that we found ourselves in a position where we made several critical mistakes.”

When Tripathi learned of the theft, his immediate reaction was, “What now?” It was unclear at the time whether the laptop contained any PHI and whether it was necessary to report a breach to state or federal regulatory authorities. The employee had, fortunately, recently backed up the laptop hard drive, which enabled MeHC to determine that PHI had indeed been stolen. “We’re not a provider organization, but we have more PHI than I appreciated,” Tripathi said. “That was one of the biggest lessons for us.”

At that point, dealing with the theft became the organization’s biggest priority and they managed it like they would any other project. MeHC needed to know whether this was a breach, who to notify and who was responsible. “I was struck by how little our attorneys really knew about this,” Tripathi said. “And not because they’re bad attorneys. It was all new territory at the time.”

The laptop was encrypted and individual files were password protected, but despite a reason to expect that the laptop had been targeted for PHI or that a street burglar could access PHI, “it was still possible a diligent amateur could work their way through every one of those gates,” Tripathi said.

For weeks, the MeHC team and their attorneys worked together daily to determine how best to proceed. MeHC also contacted state and federal agencies for help navigating complex and sometimes contradictory regulations. An investigation revealed that the laptop held 1,000 records with identifiable information from seven provider practices.

The next step was to notify patients of the breach. While Massachusetts state law delegated that task to MeHC, federal law delegated it to the provider organization MeHC was contracting with. The provider organizations ended up notifying patients, but held MeHC accountable. MeHC heard from several dozen patients and offered free credit monitoring services that some took advantage of. The total cost to MeHC was nearly $300,000, but there appeared to be no lasting negative consequences, according to Tripathi.

Although MeHC considered firing the employee responsible for the mistake, it was decided that anyone could have made the same mistake. Based on the experience, Tripathi said other organizations should be more cognizant of staff adherence to policies, act immediately if in a similar situation and take responsibility for the breach.