Health IT guru reflects back on data breach and the right way to respond

The proper, ethical way to get through, and without fines
By Erin McCann
11:05 AM

Micky Tripathi is no stranger to privacy and security issues in health IT. He serves as the founding president and chief executive officer of the Massachusetts eHealth Collaborative (MAeHC). He helped launch the Indiana Health Information Exchange and is chair of the eHealth Initiative and co-chair of the Information Exchange Working Group, which provides recommendations to the federal government regarding HIE requirements.

In 2011, however, Tripathi found himself in unfamiliar territory after an unencrypted MAeHC laptop containing 14,475 patient medical records was stolen from an employee's locked car. After going through the rigmarole of notifying patients, contacting attorneys, changing policies and working to rectify the situation transparently, Tripathi said no one is immune from data breaches. But, one can be immune from much of the nasty aftermath depending on how it’s handled. 

[See also: Infographic: Biggest healthcare data breaches of 2012 .]

"We're actually in this business. We even provide policy guides at the federal level," Tripathi said Thursday at the Healthcare IT News' Privacy and Security Forum in Boston. "So the suit was no small embarrassment that we found ourselves in the position of having made some critical mistakes with respect to how we were handling data and policies within our organizations." With that said, however, Tripathi added that the policies a healthcare organization have in place and the steps they take to rectify the situation can be the deciding factor on whether or not one's organization gets slapped with a hefty fine.              

MAeHC and Tripathi's professional and transparent handling of the data breach helped the group avoid any fines, which Tripathi had initially been worried about. He cited other groups in Massachusetts that weren't so lucky. Massachusetts General Hospital, for instance, received a $1 million fine from the Office of Civil Rights for a breach of 192 patient records, and South Shore Hospital was slapped with a $750,000 find from the Massachusetts Attorney General's Office for a breach involving some 800,000 patient records.

Taking a lighthearted and humorous approach to reflection, he likened the experience to going through the Kubler-Ross stages of grief.  The first step was denial, which was, "It wasn't our employee. It couldn't have been. Definitely wasn't our laptop," he said jokingly.

The next step was anger, asking, "How could they do this? Don't they understand what our policies are? How could that person steal something? Don't they understand that's personal property? What kind of country do we live in?" he said to a laughing audience.

And then of course bargaining: "Well, do we know anyone at the Attorney General's Office? Maybe we can say, 'Look, we're just a non-profit."

After the depression finally sunk in, they moved to acceptance. "We tried to be very transparent about everything we did," he added. In addition to the legal responsibilities, "we ha[d] a certain ethical responsibility," said Tripathi. "We came clean with the whole thing…we were standing up for our mistake and we were going to do whatever we had to do to rectify the situation."

[See also: Arkansas data breach remains unclear, gender discrimination lawsuit at core.]

Despite not getting slapped with state or federal fines, MAeHC did pay up. The total costs of the data breach calculated to $228,808, which is no nominal number for a non-profit. Tripathi said $150,000 of that went to legal fees, and more than $6,000 went to credit monitoring for patients.

What did they learn? The importance for encryption, clear policies and employee responsibility, he said. Although MAeHC was in the process of encrypting all company laptops, at the time of the theft, "the laptop wasn't encrypted. The files weren't encrypted individually. This was a big miss from a management perspective."

Ultimately, Tripathi said he wanted MAeHC's experience of the often-indiscriminate nature of data beaches and the subsequent proper way to respond to serve as a "learning opportunity for the industry."