By Elizabeth Litten and Michael Kline
A recent public statement (the “Public Statement”) was published regarding a breach (the “2011 Breach”) of protected health information (“PHI”) of nearly 5 million military clinic and hospital patients that involved Science Applications International Corporation (SAI-NYSE) (“SAIC”). The 2011 Breach occurred in SAIC’s apparent role as a business associate and/or subcontractor for Tricare Management Activity, a component of Tricare, the military health plan (collectively, “Tricare”) for active duty service members of the U.S. Department of Defense (“DoD”).
According to the Public Statement the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the Public Statement says that there is no financial data, such as credit card or bank account information, on the backup tapes.
The 2011 Breach is the largest single PHI security breach reported to date. The 2011 Breach highlights the decision-making process that covered entities and business associates should employ with respect to notifying the Department of Health and Human Services (“HHS”), other regulators and potentially affected individuals of a PHI breach.
The published “interim final rule” governing “Breach Notification for Unsecured Protected Health Information” (the “Breach Notification Rule”) defines “breach” as “the acquisition, access, use or disclosure of protected health information [“PHI”] in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” It further explains that “compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.” The Breach Notification Rule also defines the term “access” for purposes of the interim final rule as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”
These definitions, reviewed in the context of several recent PHI breaches (including those “marchers in the parade” previously discussed on this blog), raise an important issue: at what point does “access” matter? When is the mere “ability” to read PHI, without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Will covered entities provide notice out of an abundance of caution to report every unlocked or unencrypted data file, possibly flooding the HHS website that lists large PHI breaches (the “HHS List”) with potential breaches that have minimal or no likelihood of access and unduly alarming notified individuals? Could such reporting have the unintended effect of diluting the impact of reports involving actual theft and snooping?
In this regard, an event reported on the Nemours Web site on October 7, 2011 (the “Nemours Report”), about a PHI security breach involving approximately 1.9 million individuals at a Nemours facility in Wilmington, DE is relevant. The Nemours Report stated that three unencrypted computer backup tapes containing patient billing and employee payroll were missing. The tapes reportedly were stored in a locked cabinet following a computer systems conversion completed in 2004. The tapes and locked cabinet were reported missing on September 8, 2011 and are believed to have been removed on or about August 10, 2011 during a facility remodeling project.
Significantly, the Nemours Report stated the following:
There is no indication that the tapes were stolen or that any of the information on them has been accessed or misused. Independent security experts retained by Nemours determined that highly specialized equipment and specific technical knowledge would be necessary to access the information stored on these backup tapes. There are no medical records on the tapes.
The Nemours Report reveals that, in spite of the low likelihood of access, it not only disclosed the breach but was offering free credit monitoring, identify theft protection, and call center support to affected individuals.
If the analysis as to whether access “poses a significant risk of … harm” takes into account the likelihood that PHI was actually accessed, rather than simply whether a theoretical “ability or means” to read, write, modify, or communicate PHI existed at some point in time, perhaps the “possible breach” floodgates will not burst open unnecessarily.
[To be continued in Part 2]