Small business owners across the country may be quite worried about their companies’ preparedness when it comes to both preventing a data breach and dealing with the fallout of such an instance when and if they do happen. But one thing that they really might not have much protection against is when a disgruntled employee who has access to critical, sensitive data ends up trying to steal it. This was recently the case for a group of three hospitals on the East Coast.
The breach hit the Valley Hospital, Englewood Hospital and Medical Center, as well as Holy Name Medical Center – in Ridgewood, Englewood, and Teaneck, New Jersey, respectively – plus White Plains Hospital in New York, and the University of Pittsburgh Medical Center, according to a report from the Bergen Record. Thousands of patients who have visited any of those care providers appear to have had their data stolen by a billing clerk, and only learned of the breach when they received notifications from the facilities.
The extent of the breach is, unfortunately, not yet known, but what is clear is that patient names, Social Security numbers, and dates of birth for people who visited those hospitals’ emergency rooms was stolen by the clerk, who worked for a third-party billing company Medical Management LLC, the report said. That company works with 40 physician groups across the country.
What’s being done?
Right now, federal authorities are investigating the breach, but how long it was taking place is unclear, the report said. The employee worked at from February 2013 to March 16 of this year, at which point the theft was revealed to the company by federal authorities. Now, Medical Management is offering credit monitoring to victims.
“If you got a letter, Valley recommends that you follow the instructions in the letter – secure your free credit protection,” Valley Hospital spokeswoman Maureen Curran Kleinman told the newspaper. “If you didn’t get a letter, you are not at risk.”
Fortunately, the only data compromised was that sent to Medical Management, and the hospitals say that their internal documents, which tend to be more data-rich, were not exposed, the report said. To this point, there has been no indication that any of the stolen data actually involved patients’ medical records.
Companies unfortunately cannot just push a button to create a comprehensive data breach plan.
What can small companies do?
One thing that security experts like to stress when they talk about data breaches and companies either large or small is that being hit by one is a question of “when,” not “if.” There is, in fact, very little that can be done to fully prevent them. As such, entrepreneurs might want to take the most precautions possible to minimize the damage in advance, but also have a comprehensive plan for what the firm is going to do when it is hit. That can be the difference between dealing with them successfully and financial ruin.
The fact is that the average data breach costs companies into the tens of thousands of dollars, and as such, owners might want to think about how their small business insurance plans protect them here. Tech insurance can go a long way toward remediating those costs.
