DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UMC patients at risk of identity theft may wait 60 days to find out

Posted on December 10, 2009 by Dissent

Marshall Allen follows up on a UMC breach and shows how HITECH’s 60-day notification deadline is being used by the hospital to its fullest:

Kathy Silver, CEO of University Medical Center, learned three weeks ago that names, birth dates and Social Security numbers for at least 21 patients were leaked from the hospital — a crime being investigated by the FBI.

But the hospital still has not disclosed the breach to the patients, Silver told a committee of legislators Wednesday. She spoke as if this was not a problem. The law allows 60 days from the time UMC learns of a security breach to inform patients, she said.

One victim says that is too long to wait to tell patients they may be at risk of identity theft.

The hospital should have disclosed the breach immediately, said a 40-year-old UMC patient whose personal information — the kind that can be used for identity theft — was leaked. The man, who went to the public hospital Nov. 1 after a motorcycle accident, learned his privacy had been breached only when a Las Vegas Sun reporter told him Wednesday afternoon.

Read more in the Las Vegas Sun.

Reading the news story, I am reminded of the old adage, “Just because you can doesn’t mean you should.”

No related posts.

Category: Health Data

Post navigation

← HSBC whistleblower in hiding amid money-laundering investigation
Heartland Lawsuit Dismissed, “Insufficient Evidence” Of Weak Security →

2 thoughts on “UMC patients at risk of identity theft may wait 60 days to find out”

  1. Anonymous says:
    December 10, 2009 at 11:06 am

    This highlights the need for legislation regarding breach notification to have both a “floor” (requiring an outside date – like the 60 days in HITECH) and a harm-based aspect to it. In other words, for example, notification needs to occur within a time-frame that does not increase the likelihood of harm to any person but notification must occur no more than 60 days after the breach.

  2. Anonymous says:
    December 10, 2009 at 12:57 pm

    In this case, where the hospital was literally handed copies of patient’s sheets of info, it would not seem to require 60 days to send a letter to those whom they know about. Silver’s reported casualness or lack of concern for rapid notification does not inspire my respect.

    If an insider is selling info, there’s a reasonably decent likelihood that it *will* be misused. In this case, if the misuse is contact/ambulance-chasing or something similar, one might ask whether the “harm” is really significant, but what if the misuse involved fraudulent billing of Medicare/Medicaid or ID theft, etc.?

    I agree with you that yes, the 60 days is an outside, but in many cases, depending on the nature of the breach, notification needs to be much sooner. The problem I see with most legislation that includes a harm-risk assessment is that they let the breached entity determine the harm risk.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked
  • Hunters International to provide free decryptors for all victims as they shut down (2)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.