Inevitable. That seems like a good way to characterize the likelihood that health data will be stolen from a health insurer or health system (indeed, another 4.5 million patients had their data exposed in May, according to Friday’s announcement from UCLA Health). See the link here:
http://www.bizjournals.com/losangeles/news/2015/07/17/ulca-health-reports-data-breach-that-could-affect.html
A few days before UCLA Health went public with the breach, the Blue Cross Blue Shield Association had its own announcement to make. Seemingly acknowledging if not the inevitability then at least the strong likelihood of health data theft, it announced that it would make identity protection services available to BC/BS customers on an opt-in basis. The services will include credit monitoring, fraud detection, and fraud resolution support. Here’s the announcement:
http://www.bcbs.com/healthcare-news/bcbsa/bcbsa-announces-new-identity-protection-services-for-customers-nationwide.html
This approach makes sense to me. It’s proactive. And, it provides the standard forms of relief that a hacked entity would likely offer to its customers whose data had been compromised. No doubt the Blues are hoping it eliminates or reduces lawsuits arising out of future hacks. But perhaps equally importantly, it may be a good defense should lawsuits get filed. As in, “Hey, your losses would have been avoided if you had only taken advantage of our identity protection services.” Or as in, “Can you say cross-claim?” against the identity protection company.
There are (also inevitable) regulatory challenges here. Managing the medical loss ratio is one, and getting the thumbs up from exchange regulators who manage exchange content will be another.
I’d welcome your thoughts on the litigation and regulatory impacts you see.