Neglecting or not complying with HIPAA rules is sure to attract enormous penalties. Proof of this, is the massive $4.9 billion lawsuit filed against TRICARE for compromising health information of the beneficiaries of TRICARE military health program. The breach occurred when unencrypted backup tapes were stolen from the car of an employee of Science Applications International Corporation (SAIC), which is a business associate of TRICARE. However, the lawsuit has not listed SAIC as a defendant in the case, but holds TRICARE, the Department of Defense (DoD), and Defense Secretary Leon Panetta responsible for “inexplicably failing to properly encrypt the information”. It also alleges TRICARE of authorizing an untrained employee to handle highly confidential information, and allowing him to transport it in an unguarded car from which the tapes were stolen.
The law firm Shulman, Rogers, Gandal, Pordy & Ecker filed the suit against TRICARE, seeking $1000 in damages for each of the 4.9 million affected beneficiaries in the TRICARE program, calling it a case of ‘intentional, willful, and reckless violation of privacy rights’. In addition to the monetary penalty, the lawsuit also requires defendants to offer free credit monitoring to the affected beneficiaries.
While TRICARE had confirmed that the stolen tapes contained Social Security Numbers, names, addresses, phone numbers, and some personal health data, it recently noted that there is no plan to offer free credit monitoring to the affected beneficiaries. Since reading the tapes requires special machinery and interpreting the data in the tapes requires specialized skills, TRICARE believes that the risk to beneficiaries is low.
The lawsuit however demands the court to bar TRICARE and DoD from transferring data in any form, subject to the Privacy Act, until such time that an independent panel of experts verify and confirm that information security has been adequately established. It also asks the court to prohibit the defendants from transporting confidential data off government property unless it has been properly and completely encrypted. And this is in addition to preventing them from transporting records by non-secure means such as unprotected cars, and prohibiting SAIC from accessing or transporting TRICARE information till an independent panel confirms the implementation of adequate security measures.
While the outcome of the lawsuit will determine further course of action for TRICARE, it is evident HIPAA violators have to bear the brunt for negligence and non-compliance. Although TRICARE may now take corrective measures to ensure that such breaches do not recur, this incident could have been completely averted if an integrated security and compliance solution like SecureGRC had been adopted. With its built-in HIPAA compliance support and end-to-end automation, SecureGRC has the capability to ensure conformance to regulatory controls with its built-in policies and best practices that would have alerted in the first place for instance that carrying the tapes was not the best or a secure practice. Every healthcare entity should therefore resort to a comprehensive security and compliance solution to avoid loss of data and consequent loss of reputation.