Data Breach with LTC Communities

DATA Breach with LTC Communities

It’s time again for the Annual Garden Show! Ever popular, the signup sheet at City Retirement Home filled up quickly. 54 residents fill the bus to City Convention Center for an afternoon of seminars, gardening products and landscaping ideas.

The day starts off well enough; the bus is on time and the sky is clear.  A good time is had by all.  However, at the end, when the group returns to the bus, they see broken glass.  The door to the bus is unexpectedly wide open.  A thief has broken in.

A quick inventory is taken, and it is determined that only a few items have been taken.  Loose change from the dashboard, a bottle of water, and the “Activity Backpack.”  Inside the backpack was a first aid kit and, more importantly, the City Retirement Home “Activity Binder.”

The Activity Binder had a single sheet of paper for each resident containing certain important information: name, age, gender, emergency contact information, insurance information, Medicare

Number (social security number), doctor’s name and phone number, and current medications.  Suddenly, a simple trip to a garden show has become City Retirement Home’s first “data breach.”  The information on all 54 residents had been stolen.

Ten years ago, the loss of Activity Binder would have been a minor annoyance.  But today, the stakes are higher.  Medical information is some of the most sought-after data of identity thieves.  A recent study revealed that a healthcare company is over 200% more likely to encounter Data Theft, and sees 340% more security incidents and attacks than the average industry.  The simple reason is that health information is accurate.  Even outdated information is useful, as it can’t be cancelled and replaced like a credit card number.

In today’s environment, City Retirement Home must now solve a set of increasingly serious problems.  Exactly which residents’ info sheets were in the binder?  What are the obligations and deadlines under state law to notify the residents of this data loss? Does the state Secretary of State need to be notified?  What about HIPAA violations and the Department of Health and Human Services?  What if one of the resident’s identities is actually stolen, what would City Retirement Home’s liability be?  What if one of the resident’s credit is ruined?  What if someone files a false tax return using one of the resident’s social security numbers?  What if a local reporter calls?  Who talks to the reporter, and what should be said?

As the example above illustrates, data breaches can happen in many ways, not just hacker attacks.  Retirement communities need to be just as vigilant, if not more, than the big retailers who store credit card numbers.  Obviously, to the extent possible, electronic data must be protected according to the best practices available, including encrypting laptops that might leave the building and limiting access to information on mobile devices.

But what’s equally important as system security is for companies to be prepared for the inevitable data breach. Employees are people, and people make mistakes even under the best-designed system.  A game plan should be in place, so that responsibilities are clear and time is not wasted.  Getting the message right, and doing the right amount of notification, to the right residents, can save thousands of dollars and an enormous amount of time.

Insurance can play a role.  Insurance companies serve as facilitators for their policyholders, engaging with “breach coaches” that organize public relations firms, credit monitoring services, law firms, call centers and notification services that fit the situation at hand.  Each data breach is different, and working with a breach coach who can quickly access the right group of advisors is a proven strategy to successfully respond to a data breach crisis.

There are a myriad of ways data can be lost, and there are a myriad of mistakes that can be made by companies that suffer a data breach.  Proper planning and risk management are critical for any organization, but retirement communities with healthcare information need to be particularly vigilant.