A breach that was not reported on this site initially but was covered on DataBreaches.net, apparently involved medical information, too, as we now learn…
As a follow-up to previous coverage about the stolen Lake Ridge Middle School stolen thumb drive here and here, Andrea McCarren of WUSA-9 provides some additional details that have infuriated parents (emphasis added by me):
The device was taken from a bag in an administrator’s unlocked car in her unlocked garage.
….. On the stolen thumb drive: personal information on more 1,200 students-their names, phone numbers and sensitive information, including whether they have a medical condition.
Dollars to donuts says they don’t report this to HHS even though it has names and medical conditions, because these things are considered education records. There is a huge gap in protection and notification laws here, folks…..
There isn’t a need for them to report to HHS, as the school isn’t a covered entity under HIPAA. This would probably be a violation of FERPA, which is supposed to protect educational records, including health information held by educational institutions.
There isn’t a law requiring them to report it to HHS and FERPA doesn’t require reporting or notification. Lovely. As I said, there’s a gap.