If a health care organization can be fined $4.3 million over an incident involving a mere 41 patient records, imagine what the penalty might be for a health care data breach involving 8.63 million patient records. London Health Programmes (LHP), a medical research organization based at the NHS North Central London health authority, waited three weeks before reporting the loss of twenty laptops, one of which contained the unencrypted health information of 8.63 million people. It is still unknown whether the laptops were stolen or misplaced.
The incident underscores the importance of using PHI encryption and establishing solid data loss prevention policies. Hardware that’s at high risk of loss or theft — such as laptops, thumb drives or corporate smart phones — should be at the top of the list for data encryption.
“When a machine contains highly sensitive information on literally millions of patients, not securing the data on it by any means possible isn’t just careless: it’s sheer negligence,” said Chris McIntosh, chief executive of ViaSat UK (formerly Stonewood).
Though the London organization does not have to comply with the Privacy Rule in the Health Insurance Portability and Accountability Act, also known as the HIPAA Privacy Rule, it could be fined for violating the U.K.’s Data Protection Act.
Here in the U.S., PHI encryption gives hospitals a safe harbor, as the loss of encrypted data does not constitute a data breach under the HITECH Act. But encryption is only one means of data loss prevention: Health care organizations would be wise to take additional steps to avoid a health care data breach.