The breach that Community Health Systems (CHS) experienced came as a shock, not only that it could happen, but to the large number of patients who were affected (4.5 million across 29 states). With staff compliance resources stretched thin in healthcare, who is ensuring patient data is safe?

Security Info Watch revealed some disturbing data discovered after a class action lawsuit was brought against CHS. A few items were:

• Patient information was stored on an unsecured device in New Mexico
• CHS did not adequately encrypt, if at all, their patient information
• CHS did not take prompt action in notifying patients of breach
• Front-end and back-end staff did not communicate about known security issues

The article also goes on to say:

“Slack & Davis and The Branch Law Firm filed a class action lawsuit in New Mexico against CHS, alleging that the healthcare company was negligent in failing to implement and follow basic security procedures. As a result, the lawsuit claims that affected patients face a ‘substantial increased risk of identity theft, if not actual identify theft,’ and will have to spend a significant amount of time and money to protect themselves.”

Could this have been prevented? Most would agree, yes. A few simple steps towards information security knowledge goes a long in protecting patient data. These steps include designating a security/privacy officer, training staff and performing an annual risk assessment.

No one intentionally commits a breach; it’s something that happens to “other organizations.” However, the upfront cost of a risk assessment and staff education will not only protect your patients and organization, but could save you millions in the long run.