Anyone who has met Dr. Chris Brigham probably had the same impression I did – an extremely polite and pleasant man, and an all around decent guy with a tremendous understanding of the industry and its needs. Brigham is founder of Impairment Resources, which until a few days ago reviewed medical records on workers' compensation and auto casualty claims for roughly 600 insurance companies and other customers.
But a New Years Eve burglary at their San Diego headquarters has shattered the company and left it seeking Chapter 7 bankruptcy protection. The reason? Equipment stolen contained personal information, including patient addresses, social security numbers and medical diagnoses. Sources say records on as many as 14,000 people were potentially exposed. While the per record cost of identity theft varies widely, starting in the mid hundreds, the exposure for medical identity theft is astronomical, estimated to be well over $20,000 per occurrence. It is a high probability that the data included in the Impairment Resources breach could certainly be used for that purpose.
The company was facing huge liability costs, including potential lawsuits from clients and patients whose records were potentially compromised. It is yet unclear what liability will extend to the company’s customers.
While the recent focus of potential identity theft has largely been aimed towards virtual threats – online transactions and security of networked servers, this was a surprisingly low tech incident. This was, for lack of a better phrase, a “simple break in”. But the criminal(s), who have never been caught, didn't just steal equipment. They crushed a viable company. The concept is shocking, but it is easy to forget the tremendous exposure some companies have sitting right on their individual desktops.
This should be a wakeup call to every firm in the industry that stores and maintains data on injured workers. Every facet of the operation should be subject for review on this. Are security systems adequate for locations storing sensitive data? Are individual machines protected with adequate password protection systems? Is data encryption being utilized, not just for network transmissions but for the housed data itself? What is the protocol for determining access to your data? Who has the keys today, and how quickly could you lock down (or lock out) people you no longer wish to have access?
There are many areas that should be reviewed, but one thing is certain. Industry IT professionals who have been stalwartly looking outward for external threats, likely need to glance inward for a bit, to recognize and correct potential threats of the more traditional variety.
On a personal note, I am deeply saddened to learn of this happening to the folks at Impairment Resources. Dr. Brigham has never been anything but exceedingly polite and supportive to me, and he certainly did not deserve this. We should all be aware, however, that IR was likely not the only company with this type of exposure. We should learn from the harsh lesson they have been dealt.