The high cost of security and privacy breaches was made amply evident in a recent article from the California Healthcare Foundation regarding the loss of hard drive from a Veterens Affairs medical facility. A storage device (probably costing less than $200) has resulted in a potential $20 million response.
"The Department of Veterans Affairs has reserved more than $20 million to respond to a recent data breach that could affect nearly one million VA physicians and patients, according to Bob Howard, the department's CIO, Government Executive reports. The breach occurred in January when a hard drive was lost from a VA medical facility in Birmingham, Ala., and was not recovered. The hard drive included sensitive information on any U.S. physician who billed Medicaid or Medicare through 2004 and on more than 500,000 VA patients. "We have no evidence that [information is at risk]...but we don't take the chance," Howard said. A group of about 650,000 physicians and 254,000 veterans in May were notified by mail of the breach and provided with credit monitoring services through a General Services Administration blanket purchase.
The credit monitoring funds will be pulled from the VA's fiscal year 2007 cybersecurity budget, Government Executive reports. Howard said the VA's health information system, called VistA, has weaknesses because it was built when the VA did not worry as much about security. He added that department officials are looking to expedite the modernization process of VistA, which is scheduled to last until at least 2015. The modernization update aims to protect the electronic health records and make them available on the system worldwide via the Internet. The VA's joint project with the Department of Defense on an EHR system has improved the prospects of obtaining more resources from Congress for a VistA upgrade, Howard added. Investigators still are attempting to locate the hard drive and the FBI has offered a $25,000 reward for information leading to its location (Pulliam, Government Executive, 6/14)."
Protecting patient privacy should be a critical objective for all eHealth projects. In this case, it may have been pure negligence that resulted in the loss of the hard drive, but without effective education programs and an educated administrative and provider group, how will data be effectively protected in the future? How do we avoid these types of incidents from happening or reduce the risk of their ocurrence to the barest minimum?
To add your thoughts, click on the 'Comments' link