The exposure of protected health information is always a cause for concern. There are varying degrees of exposure, and there are varying degrees of response. What separates the quality of the response from good to bad is the level of accountability and responsibility an organization takes for the loss of patient data. The best response I have seen recently from an organization has come from Stanford Hospital and Clinics.
A breach of information for approximately 20,000 emergency room patients of the Stanford Hospital and Clinics website occurred between March and August of 2009, as reported by a recent New York Times article. The breach arose from the actions of a contractor who posted patient information on a publicly accessible web site. The incident was not caused by the hospital and the contractor has assumed responsibility for the event. There will be other steps taken by the hospital as the investigation continues.
What makes this situation response remarkable to me is that Stanford Hospital and Clinics has gone the extra step to provide identity theft protection to each person who had their data exposed. Although the information exposed did not include credit card or social security numbers, Stanford is going a step further to ensure that patients feel their private information will not cause them substantial damage. It also shows that Stanford is taking steps to demonstrate that they take this event seriously and that they realize that patient/customer trust is a fragile thing.
There are choices people can make. If people do not feel their information, clinical or not, is safe, then they might take their business elsewhere. In this case, the proactive choices made by Stanford seem to be the best response an organization could provide.
According to the article, a patient discovered the breach and alerted the facility. As patients become more technologically savvy, what could your organization do to ensure that in the event of a similar situation, it could win back the trust of your valuable patients/customers? Could you convince people that your facility respects their information and treats it as if it was their own?