Dom Nicastro provides some interesting data from California, where there is no “harm threshold” in mandated reporting requirements for breaches involving medical records:
Since California’s new law went into effect last year, the state has received 3,766 breach reports.
…. California’s investigations team has completed reviews of 1,953. It found that 98.7% of those breaches were found to be “substantiated medical breaches.”
Of course, if we left it up to entities to determine if sufficient risk of harm existed to warrant notification, we’d see substantially fewer breach reports and notifications to individuals. And that might be a good thing, according to attorney Jeff Drummond, whom Nicastro quotes in his article. Drummond raises the issue of worrying people needlessly and “notification fatigue” whereby we might get so many notifications that we fail to take action when we really need to. Of course, those arguments continue to miss the point that in a relationship of trust where confidentiality is crucial, patients have a right to know when the person they trusted to guard their private information failed to do so. How else can they decide whether to continue using that provider or not? The risk of ID theft is not the sole nor even most important reason for notifying people of breaches, despite Congress’s emphasis on ID theft or financial fraud.
Nicastro also reports some interesting findings from the breach reports California has investigated, noting that as of May 31, the state has been able to investigate 51.8 percent of the cases reported:
- 2,914: Unintentional breach to person outside facility/healthcare system. Example: A patient’s prescription is faxed to the wrong number and ends up in a lawyer’s office instead of the corner pharmacy.
- 559: Unintentional breach by healthcare worker within the facility/healthcare system. Example: A nurse faxes a patient record to cardiology instead of radiology.
- 147: Malicious breach by healthcare worker. A healthcare worker looks at the medical record of a patient without any medical reason to do so.
- 125: Breach of computer system theft, loss of electronic device/ medical records. Example: A hospital laptop is stolen from an employee’s personal car.
- 21: Malicious breach by person other than a healthcare worker. Example: Someone visiting the hospital sees a medical file on a desk and decides to pick it up and start reading.
Of those classifications, the unintentional breach within the facility is probably the only group where I might agree that notification to individuals might not be necessary as other hospital employees are also bound to confidentiality.
Read more on Nicastro’s article on HealthLeaders Media.
I can’t agree enough with the author. I’m a major a proponent for disclosure. We may risk de-sensitizing the consumer/patient to breaches, but that perspective comes primarily from an identity theft or financial harm point of view. The situation is very different where the disclosure of healthcare data can cause “irreparable harm” [Institute of Medicine] to a patient’s reputation or emotional state. A patient has the right to know of a breach and determine for themselves the implications of harm. If we have too many disclosures, the problem is not disclosures but the situation creating the disclosures. The other benefit to disclosures is that we are finally getting transparency around the issues in the industry. For a security professional is this very helpful in better understanding our exposures and establishing commensurate controls.