This is an example of a “hole” allowing unencrypted backup tapes to leave the facility and led to one of the largest ePHI breaches in history.
Had they a solid HIPAA Risk Analysis covering encryption and ePHI disclosure policies, this breach would not had been a breach. Or shown due diligence to help convince the judge of their intent on protecting those ePHI records.
Tricare in Texas has a class action lawsuit filed last week initiated by a solder on the list for a total of $4.9 Billion!! They claim the average cost of fraud per person (i.e. breached file) is $1,000 per person. 1,000 times $4.9 Million breached records is $4.9 Billon.
The backup tapes would require specific hardware and software to be used however, “security by obscurity” apparently doesn’t hold up in society.