TMCnet News
Providence chief faults audit(Oregonian (Portland, OR) (KRT) Via Thomson Dialog NewsEdge) Feb. 28--Providence Health System's top Oregon executive said he was as shocked as anyone to find out that employees were routinely taking medical records home each day for emergency backup. Russ Danielson, the company's Oregon chief executive, said he heard about the practice only after a car burglar stole computer disks and tapes holding the records of 365,000 patients and 1,500 employees from a van parked overnight outside an employee's home. "I found it hard to believe," Danielson said. In a three-hour interview with The Oregonian, he provided new details about the failures that led to the security breach and how he and others inside the company have tried to correct the hardships the crisis has imposed on patients. Judging from the outrage of many whose records were stolen, Providence officials have far to go to regain trust. Patients are rallying behind a class-action lawsuit. The Oregon attorney general's office has singled out Providence's data theft as a test case to set the standard on how companies will be held accountable for security lapses. Danielson accepted responsibility, and he acknowledged at least some of the criticisms of his handling of the crisis. He expressed hope that other companies can benefit from lessons Providence has learned the hard way. "This should not have happened," he said. "It did. We don't want it to ever happen again." Excerpts from the interview: Patients were stunned to learn that Providence routinely sent medical records home with employees for emergency backup -- and did so without using encryption to protect those records from unauthorized users. How did that become a routine practice for your Home Services division? People in Home Services really believed they were doing the right thing. There was a breakdown. Our corporate policies weren't followed. We didn't know people were taking these records home. The process of regularly auditing our data privacy is part of the normal course. What happened was a practice that didn't surface through our audits. We did a thorough job of auditing. But whenever you audit, you rely on accurate responses. Our audit findings weren't responded to accurately. I can assure you that we are going back and checking and making absolutely sure all over the organization that audit findings have been responded to correctly. The morning of the theft, the employee who left the records in his car overnight told police the data were highly encrypted when they weren't. Why the confusion? I think he honestly thought they were encrypted. They should have been, because our policy says they should be. If patient records are going to be moved off-site, they should be encrypted. After the breach of private information entrusted to you by hundreds of thousands of patients, what can you do to restore public confidence? We have to always acknowledge how serious we take the theft, and that we take responsibility for it. We know that it is disrupting people's lives. Another way is to offer these credit-restoration and credit-monitoring services, and to make extraordinary efforts to try to find the people whose data (were) in that database and give them a no-cost option to do something. So far, authorities have not linked any cases of identity theft or fraud to the stolen records. Do you think the data will be exploited by criminals? We really don't have any indication that anybody is using this information. But we have to assume that it will be and do everything we can to prepare to deal with it. What matters is, the potential for it is out there, it's our responsibility and we have to correct it. You are offering patients the chance to sign up for a year of free credit monitoring, and you are promising credit-restoration services for those who are victimized, whether or not they've signed up for monitoring. But identity theft is common enough to expect nonrelated cases among the hundreds of thousands whose records were stolen. How will you decide which cases are your responsibility? The assumption we're making here is, if you were in the database and you wind up with a credit problem, we're going to assume it's because of this. We're assuming it's us until it's proven otherwise. In addition to paying for credit restoration, will you compensate people for actual financial losses they could incur as a result of identity theft? We would need to be certain that their loss was a result of our data loss, as opposed to credit restoration, where we are going to presume it was our responsibility. What lessons can other businesses take from your experience? I'd encourage people to think about not just disaster recovery from the standpoint of having your data systems crash, but think about disaster recovery from the standpoint of having a data theft. As you peel this onion, there's a lot of layers to it. You realize how pervasive information is in an organization, and how important it is to think about the many ways you have to protect it. Are there more specific lessons? For instance, you took more than three weeks to begin notifying people about the theft. Was that too long? From the start the goal was: We've got to get this out as quickly as possible, but first we've got to sort through this data and know everybody we need to talk to. We had to re-create what was on those tapes, with 18 years of data on 12 different databases. We absolutely needed to put in place the system to be able to respond to people. I'm glad that we waited until we had set up the call centers. When the first wave hit, the call centers just got slammed. Right or wrong, we took things in an order of priority that seemed most logical. Why not offer credit-monitoring straightaway? Right out of the shoot, we wanted to give people instructions on how to put what's called a fraud alert on their credit right away, while we were negotiating and learning about what services are important to provide; what other companies have done; what the attorney general thought we should do; and then looking at exactly how and where to provide that. But if you were planning to provide credit monitoring from the start, why not tell people immediately? That might have ameliorated some of the outrage. You don't want to tell people something that's not true, that is vague or is not going to happen. It's really important with something like this to be precise. But I think your criticism is a fair one. In hindsight, it might have been better to tell people: "We are looking into credit monitoring, credit restoration. We've got your call logged, and we'll get back to you." Large-scale security breaches have inevitably triggered class-action lawsuits. A Portland law firm filed a complaint against Providence within days of your notice to patients. How did that threat influence your management of this crisis? We decided early on not to let that be a driving force. We weren't going to approach this in a way to minimize our legal exposure with anybody. So when I say to you that our policies weren't followed -- somebody that was taking a legalistic approach to this wouldn't say that. Are you asking people to release Providence from liability as a condition of signing up for credit monitoring? No. They don't have to sign off of the class action to participate. Let's be clear about that. Privacy advocates point to the records theft as additional evidence to bolster their claim that the federal government is doing little to enforce medical privacy protections. What's your response? Regardless of whether or not there is teeth (in federal enforcement), we believe in the right of people to expect privacy of medical information. It hasn't been a lack of worrying about it that led to this. I would characterize this as an error of judgment involving a few people. Four Providence employees, including managers, have lost their jobs as part of the fallout from the records theft. Were they the only ones to blame for failing to safeguard Home Services records? While I'm not at liberty to discuss personnel matters, I can say we are holding ourselves accountable, and the people involved are being held accountable as well. Some patients have expressed concern that Providence is making scapegoats of the four employees. What's your response? I can assure you that we are not. We undertook a very thorough review. Rather than simply finding someone to scapegoat, we wanted to understand what were the failures that led to this and deal with those failures. Our goal is to make sure our patients are protected, and the public is protected and that we make sure that where there were lapses in judgment, there isn't the potential for those lapses to occur again. How much do you expect to pay for the package of services you are offering to everyone whose records were stolen, and what other costs have you incurred as a result of the theft? About $7 million to $9 million. We've had thousands of hours with people doing the call center. I can't remember what it cost us to set up the Web site -- maybe $50,000. (A spokeswoman said Providence has spent about $165,000 mailing the first round of notices to patients). What about the cost of the good will you have lost because of this theft? To the extent people's credibility in us, or trust in us was shaken, that's an incalculable cost. It's going to take just a lot of good hard work to recover. You hired a private investigator to pursue the stolen records. What are the prospects of recovering them? Even if they found the data and gave it back, we'd still have to do all of this. We've lost the chain of custody of that data. We'd have no way of knowing what somebody may have done with it between then and now. I'd love to get it back -- to take to an incinerator somewhere and have a very expensive bonfire. But it won't change what we have to do. |