Personally, I detest it when entities won’t disclose any many people were notified or affected by a breach. It’s one of the few times that I think the “nothing to hide” argument applies.
When it comes to healthcare sector breaches affecting more than 500, refusal to disclose to the media makes even less sense to me, as HHS will eventually post the number on their breach tool and the media will pick it up. So instead of getting the whole story out at once, entities may find themselves back in the news cycle.
Such is the case with Crescent Healthcare – a Walgreens Company. Back in December, they had a burglary and hardware with unencrypted PHI was stolen. The firm dutifully noted patients, HHS, and state attorneys general that the stolen hardware held patients’ names, addresses, phone numbers, dates of birth, Social Security numbers, medical diagnoses, disability codes, and health insurance information as well as employees’ info, applications, and background checks, but they wouldn’t tell media like Local10, Healthcare IT News, or California Healthline how many people were notified.
This week, however, HHS updated their breach tool, and there it was – Crescent Healthcare had reported to HHS that they had notified 109,000 people of the breach.
Should they have disclosed that immediately? I think so, but then again, I also think they should have issued a press release and posted notices on their web site and on Walgreens’ site, neither of which they seem to have done.
Clearly, I’m not objective as I’m firmly on record for transparency and full disclosure. What do you think, though? And should entities even have the option to not disclose the number affected?