Encryption Could Have Prevented Centene's Data Breach of 950,000 Patient Records

Encrypted Devices with PHI can be lost or stolen and it is not considered a Data Breach.  Encryption is like a Get Out of Jail Free Card!  Health Insurance credentials sell for $20 each on the black market, but when supplemented with personally identifiable information (PII) such as birth date, place of birth, social security number, it can yield over $1000 per record.  These are scary times, and Centene, a St. louis based health insurer is the latest victim of a data breach that will make your head spin.  The worst part is that it could have been easily prevented with one simple and inexpensive security measure.

On January 25, 2016, a press release was issued by Centene, a St. Louis-based health insurer, that they are unable to locate 6 hard drives that contain protected health information (PHI) of approximately 950,000 individuals.  Unfortunately, it was not simply patient names, but addresses, social security numbers, birth dates, and lab results of patients who received laboratory services between 2009 - 2015.

This loss, or unauthorized disclosure of PHI, is reportedly the result of an employee that did not follow procedures for storing IT hardware.  At the time of this posting, it has not been released if Centene had conducted a Security Risk Analysis.  The benefit of a Risk Analysis is that it shows you exactly where you are vulnerable to a breach of PHI, and recommendations are provided to eliminate the risk. A thorough and accurate Risk Analysis for any business that creates, receives, maintains, or transmits PHI will tell you to make encryption a policy throughout your business. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.  Otherwise, the file can not be read.  There are 5 reasons why you need full disc encryption, and you should do it immediately.

  1. If you experience the loss or theft of a device that is encrypted, it is not a data breach, no matter how many patient records were on the device.  Encryption is the safest, easiest, and least expensive way to protect yourself from a data breach.  If Centene had encrypted these hard drives, they would not be facing the fines and the damage to their reputation that they are now going to have to face.  Encrypt every device that creates, receives, maintains or transmits ePHI, even workstations.  It is literally the best insurance policy you can buy, and has been referred to as a get out of jail free card.
  2. Encryption is inexpensive.
  3. The user experience is not normally not effected by encryption.  Technology has come a long way, do not let this myth stop you from enabling encryption.
  4. Encryption will help tremendously with meeting  Compliance Requirements.
  5. Your Cyber-Insurance company may reward you with the lowest possible rates as a result of your commitment to security.  Be sure to ask about discounts!

If you need a professional to help you conduct a Security Risk Analysis, or you need more information on encryption of laptops, workstations, tablets or smart phones, call us at  877-843-5767.

 If you'd prefer to have one of our Senior IntelliSuite Engineers call you, click here.  All of our Engineers are Certified HIPAA Security Specialists, and will be happy to answer any questions you may have.

Visit our website at www.intellisuite.com.

 

 

Rose Doherty

Written by Rose Doherty