Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

US Data Loss Penalty Insignifcant According to Cryptzone

Cryptzone : 19 March, 2012  (Technical Article)
Cryptzone comments on the losses suffered by patients whose data was compromised in recent case involving penalty handed out to BlueCross BlueShield
US Data Loss Penalty Insignifcant According to Cryptzone
Commenting on a $1.5 million penalty handed down to BlueCross BlueShield for the 2009 theft of 57 unencrypted hard drives from the US health insurer, Cryptzone says that the real penalty has been borne by the million-plus customers whose personal information was stolen.

Daniel Nilsson, Chief Business Development Officer for the European IT threat mitigation specialist, says that the loss of the patient data – which included their names, US Social Security numbers, dates of birth, health plan IDs and diagnosis information – was a gross invasion of privacy for the customers concerned and will have been worrying to many of the more vulnerable, including the long-term unwell and elderly amongst them.

“Frankly, if I were a client of this health insurer, I would feel aggrieved and insulted that my personal details – including the health problems I was being treated for – were worth less than $1.50 per patient. If this had happened in Europe under the proposed EU data breach penalties, the federation of 38 insurers could have been fined up to 2.0 per cent of its turnover, which is estimated to be at least $400 million,” he said.

“That gives a maximum penalty of $8 million, although some newswire reports suggest that BlueCross BlueShield has spent more than twice this amount remediating its systems over the problem, so this incident – as well as hammering the insurer’s reputation – will impact on the firm’s bottom line,” he added.

The Cryptzone Business Development Officer went on to say that because health data on customers was involved, it is almost certain an EU penalty under the proposed data breach regulations would have been close to the maximum.

But, he says, the US penalty doesn’t end there, as there is a strong likelihood of a private class action lawsuit being launched by customers of the health insurer, resulting in a third saga of embarrassment for the firm.

The first embarrassment, he adds, was when the incident occurred back in 2009 and the embarrassment has been brought back to the boil with the 1.5 million penalty from the federal US government.

If a class action is brought against the healthcare insurer, then this will be a third phase of public embarrassment. And all the time the rating of the firm amongst its existing – and potential new – customers is taking a hit, he explained.

Nilsson says that, whilst it’s clear that the failure to encrypt and protect the data on the hard drives was a breach of the Health Insurance Portability and Accountability Act, the longer-term consequences beyond the fine are likely to run into the tens – if not hundreds – of millions of dollars, as the insurer will have lost many of its existing customers forever.

“And then there is the difficult-to-quantify issue of potential new clients who will look elsewhere for their healthcare services in the competitive US market. Today’s consumers are very price conscious, but they are also sufficiently savvy enough to realise that the loss of their data is a potentially serious matter on several fronts,” he said.

“The case will hopefully act as a wake-up call to any company – and not just in the US healthcare arena - that has not installed a secure set of defences to protect its data assets. It’s important that the case sends out the message that it is far from okay for companies to take a casual attitude towards data security, regardless of whether the data is customer or staff related,” he added.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo