The largest health care data breach on record occurred recently when a thief made off with back-up tapes — items commonly used by hospitals and other providers to store patient data. Experts say covered entities and business associates should ensure the tapes are secured, both by encryption and by more physical means.
The tapes contained information on 4.9 million TRICARE (the government health plan that covers military personnel and their dependents) beneficiaries. They were stolen last month while in the possession of Scientific Applications International Corp., a TRICARE contractor.
The ironic part: The tapes were on their way to be encrypted so that the data could not be viewed, should they ever fall into the wrong hands. In notifying members of the breach, TRICARE deemed the risk of harm to be low because specialized equipment is needed to view the tapes. It opted not to offer credit monitoring services to the victims.
That fact seems to be at the heart of a $4.9 billion proposed class action suit ($1,000 per affected beneficiary), brought under the 1974 Privacy Act. TRICARE is also a HIPAA covered entity, and SAIC would be its business associate, but HIPAA provides no private right of action for individuals to sue. However, the HHS Office for Civil Rights investigates any breach that involves more than 500 individuals and can impose fines.
Are these tapes still a reliable option to save data?
Is it feasible to stop using them?
Besides encryption, what are some ways to protect them?