The Burden of Encryption or the Burden of a Breach?
The single largest PHI breach in 2013 involved the theft of four desktop computers from an office; the computers contained more than four million patient records. The additional burden of encrypting that data almost certainly pales in comparison to the burden of notifying millions of patients, going through the investigation and monetary penalties that will probably result, and defending the class action lawsuit that has already been filed.
Another example: in late April 2014, HHS announced that it had settled a breach enforcement action involving one stolen laptop and over 850 patient records. HHS’s investigation included the finding that the health care provider had previously recognized that the information on its computers and other devices needed to be encrypted, and it had started to do that, but its efforts were “incomplete and inconsistent over time, leaving PHI vulnerable throughout the organization.” And obviously, the laptop that was stolen had not yet been encrypted. The amount of the settlement is eye-catching: $1.7 million. Other reports about this large settlement have surmised that its size may have been related to the fact that this laptop loss was not the health care provider’s first; another laptop had been stolen about two years earlier. Whatever the reason for the high settlement figure, it graphically illustrates the risk.