The University of Utah Hospitals & Clinics is learning the hard way about losing control of patient records: UUHC has incurred nearly $3.4 million in costs, and damage to its reputation, after approximately 1.5 million patient billing records on computer tapes were stolen on June 2, 2008.
The tapes were recovered a month later and authorities believe the data they held was not accessed by the petty thieves who broke into a courier's car and made off with them. Almost comically, the thieves, not knowing what they contained, tried to view the tapes using a VHS player, according to police reports.
But the damage had been done. And two years later, UUHC is still feeling the pain as it finds itself embroiled in lawsuits with business partners and tries to recoup the huge costs of responding to the data theft. The state-owned but self-sustaining health system provides an object lesson for hospitals hoping to avoid the same fate when electronic patient records are lost or fall into the wrong hands. Vigilance, due diligence, well-crafted contracts, data encryption and cyber insurance are all elements of a comprehensive data loss protection plan.
Eight days after the theft, UUHC went public. To its credit, the health system promised to notify every patient whose billing information were on the tapes and provide them with a free year of credit reporting.
The breach occurred before the breach notification rule mandated under HITECH Act went into effect.
The rule, which went into effect in September 2009, requires health care organizations that suffer a breach that affects more than 500 individuals to alert the local media and effected individuals, and report the breach to the Health and Human Services' Office for Civil Rights.
The OCR posts information on those breaches on a Web site accessible via www.hhs.gov/ocr/privacy/index.html. Notification, however, does not have to be made if the personal health information affected by the breach is encrypted or otherwise made "unreadable" by electronic means.
"The billing records included patient names, related demographic information and diagnostic codes. None of the records contained credit card information. Records for a subset of 1.3 million patients [later revised to 1.1 million] also contained Social Security numbers," UUHC said in a June 10, 2008 press release.
The decision to go public was not made lightly, though.
"That was big conversation internally," says UUHC spokesman Christopher Nelson. "We did a good job in communicating and offering some response so people felt we were taking this seriously."
Dealing with the damage
UUHC set up a third-party call center, sent out 2 million letters (originally it was believed 2.2 million records were stolen, but after the deceased and duplications were removed, the number was lowered), fielded 11,000 calls from worried patients and claimed it spent "6,632 personnel hours" on the matter.
"We did a whole lot of talking to patients and initially wanted to handle this [the call center] internally, but realized we couldn't. It was impossible to pull staff out of their regular jobs," adds Nelson.
Indeed, the decision to do the right thing was costly and now the hospital is trying to recoup the costs from its storage provider, Perpetual Storage Inc.
It was a Perpetual courier who kept the tapes overnight in his own vehicle, which the thieves broke into, according to police reports.
"We will use every means at out disposal to recoup the costs," says Nelson.
Perpetual's liability insurer, Colorado Casualty Insurance Company is refusing to pay UUHC's claim on the grounds that electronic data is not covered in the storage concern's policy.
Going to the courts
On April 9, Colorado Casualty filed a complaint for declaratory judgment, which asked the court to sanction its decision to not pay the claim.
On May 25, UUHC responded by suing Perpetual, its insurance agent and Colorado Casualty to recover its costs. The jurisdiction is U.S. District Court, District of Utah, Central Division.
Indeed, Perpetual's policy would indicate Colorado Casualty, which is owned by Liberty Mutual Insurance Company, has a credible argument, according to court documents filed June 18 by Colorado Casualty in U.S. District Court, District of Utah, Central Division. Colorado Casualty spokesman Christopher Goetcheus said the company would not comment for this story.
The documents suggest what data security experts already know: general liability insurance is a slippery slope when it comes to covering data loss.
"Ten years ago, we had not heard much about data security breaches. When they started to occur, company's turned to their general liability insurance and said "indemnify me," says data security expert Francoise Gilbert, managing director at the IT Law Group, a Palo Alto, Calif. firm specializing in data issues.
"The insurance companies say "hmm, this is not covered. What we cover is A, B and C and what happened to you is F. But in the past five to eight years, we've seen a number of insurance companies offer products specifically directed to that," Gilbert adds.
In its court filing, Colorado Casualty cites language from what it claims is Perpetual's policy.
At the outset, it says "We will pay those sums that the insured becomes legally obligated to pay as damages because of "bodily injury" and "property damage" to which this insurance applies."
Then come two these statements: the policy says that it covers "tangible property", excluding electronic data, meaning "computer software, systems and applications, tapes, CD-ROMs, and data processing devices or any other media which are used with electronically equipment." What's more, the policy says "We do not cover property in transit."
Perpetual attorney Steven McMurray of Fabian & Clendenin in Salt Lake City said his client disagrees with Colorado Casualty's position, but declined to discuss the details of his argument.
In a nutshell, everything that could go wrong went wrong for University of Utah Hospitals & Clinics, even though the theft appears not be its fault.
In addition, UUHC quickly came clean instead of going into damage control and trying to keep a potentially explosive problem under wraps.
Data security experts like Gilbert says hospitals can take steps to protect themselves from what happened to UUHC by carefully scrutinizing third-party service providers, constructing well-crafted agreements and staying vigilant after the contracts are signed.
"The most important things are due diligence before the contract, [constructing] a good contract and not falling asleep after the contract," says Gilbert.
The dangers are real: she recently asked a group of data privacy professionals including several chief privacy officers what they feared the most and the "No. 1" response was subcontractors and service providers.
Gilbert expresses their thinking: "I am not afraid within my own company because I am in control of testing, training and who I hire. I am not in control of service providers and subcontractors. Beware," she says.
Common sense required
Common sense-and legal and technical thoroughness-are essential, Gilbert adds. Before a contract is signed, hospitals need to grill their prospective service provider about their information security practices.
For example, when did they last do employee training? And who has access to the hospital's data?
"A [hospital] can visit the service provider or send them questionnaires about how do you do this and how do you do that," says Gilbert. "It's a normal practice that every prudent company does. Sometimes the service provider pushes back because it takes a lot of their time, but it's essential and a normal practice that every prudent company does."
Then there's the contract.
"Assuming you've conducted due diligence that the company has adequate procedures, the second thing to do is a contract. Don't sign any services agreement without paying attention to what it says," Gilbert advises.
There are "standard clauses" that legally mandate the company to apply the information security plan it laid out to the customer. A list of these clauses can be added in an appendix to the contract, according to Gilbert.
"You can build the contract provisions so the hospital has the ability to audit the service provider once or twice a year and go on the vendor's premises to look at the vendor's procedures, training and backgrounds of their employees," she says.
While such scrutiny is expensive and time-consuming, it's well worth it.
"There is price for everything. If you told me new tires are expensive and you're going to stay with old tires because they are cheaper, and then you have an accident, don't complain," says Gilbert.
Lines of defense
Indeed, University of Utah Hospitals & Clinics, metaphorically speaking, wishes it had bought new tires.
It has changed many of its data security practices since the tapes were stolen, according to UUHC's Nelson.
First and foremost, it has applied much more sophisticated encryption to its electronic records so even if tapes were stolen again, they would be "irrelevant."
Encryption, not contracts, is the first line of defense in safeguarding data, argues Perpetual's McMurray.
He maintains it's unclear if the data on the stolen tapes was encrypted and is a matter of dispute in the lawsuit.
"I totally disagree that [contracts] are the first line of defense. [Contracts] and all these other things are way down the line. The right encryption solves the problem. To me, that's very simple. The solution is simple. Hospitals ought to encrypt information [which gives them] safe harbor under the HITECH Act," McMurray continues. "Using the right encryption means there is no breach or obligation to notify anyone or anything else."
HITECH itself does not require encryption of personal health information, but patients must be notified of a breach if the data is not encrypted up to Federal Information Processing Standards.
McMurray said it's too early for settlement in the University of Utah Hospitals & Clinics suit, given the case is still in the pleading and motion stage. "My assumption there will be a time serious settlement talks can be undertaken, [but] the case is just getting underway," he said.
Still, UUHC sounds almost as if it had read and internalized Gilbert's playbook.
"Looking back, we would have been way more aggressive in going back and evaluating the insurance [Perpetual] had because it might turn out the judge will rule in Colorado Casualty's favor and we'll have to pay for a lot of this," says Nelson. "Look at your processes to find out where the weak links and hand-offs are. Leave nothing to the weak links. That's something we would encourage other hospitals to do."
UUHC, according to Nelson, still uses Perpetual because it remains its "best data option," but looking out longer term it's examining other options, such as setting its own data center or storage methods that don't involve tapes. Court documents filed by UUHC note that it's had a "Record Storage Agreement" with Perpetual since 1996.
Health care information security expert Kate Borten of the Marblehead Group wonders why University of Utah Hospitals & Clinics hung onto billing data for so long. "Why did they keep it?" she asks.
UUHC has asked itself the same question, according to Nelson. "These were billing records that really went back a good 30 years. The reason we keep them is not because we have to but because it's easier to store them that to destroy them," Nelson says. "The billing records are continuity of service so if we have an earthquake or natural disaster, we would have a set of data to go back to."
Cyber insurance
As for Perpetual, it has invested in a so-called cyber insurance policy which specifically protects against data losses. According to McMurray, cyber insurance is not a cure-all, though.
"It's almost impossible to acquire sufficient insurance against major data loss [due to high costs]. Customers are not willing to pay to offset the costs of those kinds of policies," says McMurray.
He declined to identify Perpetual's cyber insurance carrier. Two prominent cyber insurance companies are Lloyd's and the Chubb Group.
UUHC, says Nelson, has not altered its coverage because it's owned by the state university system. "As a state entity, our insurance is handled through the risk management of the state as opposed to if we were private. Hospitals which are not government-owned might need something different," he adds.
Ideally, data loss is prevented by due diligence on the part of the hospital's selection of a third-party service and ongoing monitoring. Good contracts and vigilance can reduce the chances of something bad happening to hospital data.
"This is mostly a question about contract law," says Borten, who cited many of the same points as Gilbert, such as crafting a contract with requisite protections and an insurance policy that specifically covers data loss.
In the end, UUHC has paid the biggest price even though it appears it was not directly responsible.
"We thought we were doing everything right, but this company making one mistake cost us $3 million, incalculable damage to our reputation and lots of staff time," says Nelson.
John Dodge is a freelance reporter who covers a wide range of technology and business topics. He can be reached at jdodge349@gmail.com.
