Electronic Medical Records (EMR), patient privacy rights,surprise government HIPAA Audits, data thieves, computerhackers and identity theft in millions of dollars are comingyour way.

Got your attention? All of these are elements of a potential“Perfect Storm” in the healthcare industry. Are you prepared toweather this storm?

Technology is a wonderful thing. How did we ever make itwithout our laptops, cell phones, smart phones and the Internet?These wonderful inventions have made our lives more productive.They make a tremendous amount of information availableto us wherever we are, any time we want it.

With all of our technological benefits, wehave not considered some serious and potentiallyexpensive risks, especially in the healthcare industry.Much of this data can pose serious risks,resulting in tremendous damage if it ends up inthe wrong hands. Those who have given considerationto the many risks posed by technologymay not be sure how best to protect their dataand properly manage their technology–related liability.

With today’s rapidly changing technology,maintaining data security and privacy is a criticaland difficult task. In addition to the difficulty,it can be an expensive investment. However expensivethe initial investment is, it still costs lessthan responding to a significant data breach.Many people are finding out the hard way justhow costly a breach can be. Some would evencall it the “Perfect Storm”. Here are some recentreal life situations for you to consider.

Feb. 7, 2007 Johns Hopkins University and Johns Hopkins Hospital (Baltimore, MD) Johns Hopkins reported the disappearance of nine backupcomputer tapes containing personal information of employeesand patients. Eight of the tapes contained payroll informationon 52,000 past and present employees, including SSNs and insome cases bank account numbers. The ninth tape contained“less sensitive” information for about 83,000 hospital patients.

Feb. 8, 2007 St. Mary’s Hospital (Leonardtown, MD) A laptop stolen in December contained names, Social SecurityNumbers (SSN), and birth dates for approximately 130,000of the Hospital’s patients.

May 24, 2007 Beacon Medical Services (Aurora, CO) Private medical and financial information including 5,000patient records from at least 10 Colorado clinics and hospitals,and one hospital in Peoria, Illinois that should have been onlyaccessible through VPN access were inadvertently available onthe Internet.

Nov. 7, 2007 Carolinas Medical Center – Northeast (Concord, NC) A paramedic left a computer on the back bumper of anambulance and then drove away. The laptop contains names,addresses, phone numbers and SSNs of approximately 28,000people who have been cared for by the CabarrusCounty EMS over the last four years.

Feb. 27, 2008 Health Net Federal Services (Rancho Cordova, CA) Approximately 130,000 doctors in eleven stateshad their personal information openly posted ona company website. SSNs were part of the personnelinformation exposed. The states involvedinclude Wisconsin, Michigan, Illinois, Indiana,Ohio, Pennsylvania, Tennessee, Iowa, Missouri,Kentucky and West Virginia. Source: Privacy Rights Clearinghouse; press accounts

Consider the cost of responding appropriatelyto a privacy breach, which can easily end upin the millions. According to Forrester Research,Inc., responding to a data and privacy breachcan range anywhere from $90 to $305 per person.Based upon these estimates, it makes sense to address this verycritical issue in a proactive manner rather than waiting for the“Perfect Storm” to hit and then trying to respond to it after thefact.

These risks are not going to go away on their own. In fact,they are going to continue to grow as our dependence on technologyincreases. You, along with your insurance and risk managementadvisor, need to take the necessary steps to addressthese issues in a proactive manner. As discussed in a previousarticle, the three key components in managing your total cost ofrisk are applicable here as well. Risk Identification, Risk Controland Insurance are all key elements in making sure you are preparedto weather the storm in this highly specialized area.

If your insurance and risk management partner does nothave in–house expertise in dealing with privacy and data security,you should locate one that does, as this is not your ordinaryrun of the mill exposure.

John B. Smith, CIC is a Commercial Property and CasualtyInsurance Specialist with Hilb Rogal and Hobbs (HRH). He focuseson helping organizations and companies in healthcare,long–term care and commercial real estate industries drive downtheir “Total Cost of Risk”. He can be reached at 210–979–7470.www.hrh.com