Breach Penalties: Comparing U.S., U.K.

Analyzing the Two Nation's Healthcare Strategies

By , August 7, 2012.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Breach Penalties: Comparing U.S., U.K.

The United Kingdom and the United States are both cracking down on healthcare organizations that have experienced information breaches. But they're taking very different approaches.

See Also: Cloud Infrastructure: Same Security Needs, Dynamic New Environment

In the U.K., the emphasis is on publicizing frequent financial penalties, often for relatively small breach incidents. In the U.S., the focus has been on announcing less frequent "resolution agreements" that spell out a corrective action plan for preventing future breaches and include sizable financial settlements as well(see: A Close Look at U.S., U.K. Penalties).

So far this year, the United Kingdom has issued 11 fines totaling £1.4 million (or about $ 2.2 million U.S. dollars) related to healthcare breaches, including social services cases that involved breaches of mental health information. These cited violations of the U.K. Data Protection Act.

By comparison, U.S. authorities have announced three resolution agreements so far this year that included a total of $3.3 million worth of settlements - as well as corrective action plans, according to the Office for Civil Rights, a unit of the U.S. Department of Health and Human Services. These cited violations of HIPAA.

Since 2008, the office has announced nine resolution agreements with a total of $8.8 million in penalties. But OCR officials have indicated they plan to continue to ramp up HIPAA enforcement efforts and announce resolution agreements as they complete lengthy breach investigations.

The jury is out on which nation's approach will be more successful in reducing the number of breaches over the long haul.

U.K. Strategy

With the U.K. issuing sizeable financial penalties against healthcare providers for relatively small infractions, the Brits are showing vigor in enforcement, says Deborah Peel, M.D., founder of Patient Privacy Rights, an advocacy group.

"It looks like the U.K. is taking smaller breaches more seriously," Peel says. "You haven't seen anything like that in the U.S."

And Peel contends that the financial penalties issued as part of resolution agreements in the U.S. don't reflect the magnitude of the breaches.

For instance, a settlement with Blue Cross Blue Shield Tennessee earlier this year related to the theft of 57 unencrypted disk drives containing data on 1 million patients resulted in $1.5 million penalty. "That's only $1.50 per patient," Peel notes. "That's not commensurate with the scale of the breach and the revenue of the company."

Financial penalties should sting more based on the size of the offender and number of patients affected, she contends.

"Covered entities learn from the travails of others.....[such as ] 'if I had only encrypted the laptop,'" McAndrew says. Potential penalties for privacy violations tied to breaches "get the attention of CEOs and CIOs so that they are more willing to put resources into prevention," she says.

Cultural Differences

The different approaches in the U.K. and U.S. may be rooted in the nation's cultures.

"The EU and U.K. have deeper roots than this country in terms of privacy and security legislation," says Kate Borten, president of information security consulting firm The Marblehead Group.

"In the U.K. there are still issues all the time with breaches, snoops, lost laptops - many of the same things that are happening here in the U.S." she says. But she points out that the U.K. has a watchdog agency, the Information Commissioner Office, "with a strong voice that is lacking in the U.S."

The U.K.'s healthcare system is government-run - and the government keeps a close eye on the participants, she adds.

Plus, the U.K.'s Information Commissioner Office loses patience quickly for repeat offenders and is quicker to slap data breach offenders with fines.

In the U.K., the ICO has the capability under the nation's Data Protection Act to issue information breach fines up to half a million pounds, says Simon Rice, the ICO's principal policy adviser for technology. However, "meeting that criterion is actually quite strict," he says.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Obama Unveils Cyberthreat Info Sharing Plan

The president's proposal would provide stronger privacy protections than legislation passed by the...

Latest Tweets and Mentions

ARTICLE Obama Unveils Cyberthreat Info Sharing Plan

The president's proposal would provide stronger privacy protections than legislation passed by the...

The ISMG Network