Marshall Allen follows up on a UMC breach and shows how HITECH’s 60-day notification deadline is being used by the hospital to its fullest:
Kathy Silver, CEO of University Medical Center, learned three weeks ago that names, birth dates and Social Security numbers for at least 21 patients were leaked from the hospital — a crime being investigated by the FBI.
But the hospital still has not disclosed the breach to the patients, Silver told a committee of legislators Wednesday. She spoke as if this was not a problem. The law allows 60 days from the time UMC learns of a security breach to inform patients, she said.
One victim says that is too long to wait to tell patients they may be at risk of identity theft.
The hospital should have disclosed the breach immediately, said a 40-year-old UMC patient whose personal information — the kind that can be used for identity theft — was leaked. The man, who went to the public hospital Nov. 1 after a motorcycle accident, learned his privacy had been breached only when a Las Vegas Sun reporter told him Wednesday afternoon.
Read more in the Las Vegas Sun.
Reading the news story, I am reminded of the old adage, “Just because you can doesn’t mean you should.”
This highlights the need for legislation regarding breach notification to have both a “floor” (requiring an outside date – like the 60 days in HITECH) and a harm-based aspect to it. In other words, for example, notification needs to occur within a time-frame that does not increase the likelihood of harm to any person but notification must occur no more than 60 days after the breach.
In this case, where the hospital was literally handed copies of patient’s sheets of info, it would not seem to require 60 days to send a letter to those whom they know about. Silver’s reported casualness or lack of concern for rapid notification does not inspire my respect.
If an insider is selling info, there’s a reasonably decent likelihood that it *will* be misused. In this case, if the misuse is contact/ambulance-chasing or something similar, one might ask whether the “harm” is really significant, but what if the misuse involved fraudulent billing of Medicare/Medicaid or ID theft, etc.?
I agree with you that yes, the 60 days is an outside, but in many cases, depending on the nature of the breach, notification needs to be much sooner. The problem I see with most legislation that includes a harm-risk assessment is that they let the breached entity determine the harm risk.