Articles In This Issue
Let Us Help You
Have you had a data breach?
If you have any questions about our resources or any topics related to Experian Data Breach Resolution, please contact us at firstname.lastname@example.org or call 1 866 751 1323.
Inside the Trenches of a Data Breach
Healthcare data breaches are skyrocketing and they’re not expected to decrease any time soon.
More than 19 million medical records have been affected by data breaches1 and the impact to the economy tops $40 billion per year.2
Experts cite many reasons for this disturbing uptick in data breaches. For one, the move to digitalize health records makes healthcare organizations more vulnerable. Other reasons include the increase of mobile devices, which can easily get lost or stolen, and thieves who can sell medical records for a much higher price than other stolen information.
The bottom line is that every healthcare organization should brace itself for a data breach and know the proper – and legal way – to respond to one. Responding to a healthcare breach continues to grow in complexity, as the federal government extends its breach notification laws and beefs up its enforcement of them.
Adding to the confusion is the patchwork of state breach notification laws. In some states, an organization that’s already subject to the federal HIPAA/HITECH rules may be exempt from state notification laws. Many states have their own notification laws with deadlines that differ from the federal laws and some states actually have their own definitions for “personally identifiable information.”
Being prepared for a data breach can reduce your response time, increase patient loyalty and help you avoid regulatory fines – both on the state and federal levels. Experian® Data Breach Resolution works closely with companies in breach response and has seen firsthand the successes and mistakes made by organizations. Our “Lessons from the Field” e-book cites the top five takeaways from our years of experience.
Organizations should write an incident response plan and practice it. It’s also prudent to establish a contract with a data breach resolution provider who can handle notifications, a call center and credit and identity monitoring. If you don’t need a resolution provider, at least set up a contract for credit monitoring and identity theft protection. You don’t want to be scrambling for vendors in the middle of a breach investigation.
The same advice goes for data breach counsel and forensic firms. You should select these firms ahead of time – even if you never use them.
Suppose you’ve taken these precautions and believe you’re prepared. Then, you come in one day and discover a robbery. What’s worse is that an unencrypted laptop containing sensitive data on 3 million patients is missing. Now what? You try not to panic. But what should you do first?
The first 24 hours of a healthcare breach are critical. If not handled correctly, the breach can lead to fines, lawsuits and an exodus of patients. Download the webinar “Data Breach Compliance and Response” to hear best practices from experts who have been there.
1 Redspin PHI Breach Report, 2011
2 Ponemon Institute’s Third Annual Survey on Medical Identity Theft