DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Did ADPI disclose enough in its notification and has it done enough for patients?

Posted on December 1, 2012 by Dissent

One of the things that happens with a blog like this one or DataBreaches.net is that an organization discovers that I’m covering their incident and starts checking my blogs to see what I’m writing. At the same time, I’m checking other sites to see what they’re saying. This week, I’m obviously focused on the ADPI breach as it appears to be a large breach that may have been mirrored in other HIPAA-covered entities around the state (or country).  If ADPI wants to turn lemons into lemonade, they have an opportunity to help us all learn from this breach and harden our security against future incidents of this kind.

But something I just read on ModernHealthcare.com gave me pause.

In his coverage of the breach, Joseph Conn got a statement from Pam Dixon of the World Privacy Forum. I have tremendous respect for Pam and and the WPF, and I found her comment a bit puzzling:

“The next thing we can say, the way this company has made breach notifications, is really poor business practice,” Dixon said. “This is disingenuous. If someone’s information has been sold to a crime ring, they need to get help and assistance almost immediately. Best practice dictates that people are told quickly and the entire truth is told.”

What is it that ADPI could have done that Pam thinks they should have done or could have done but did not do?  They say they discovered the breach on October 1 and mailed notification letters on November 29. They told people what kinds of information were involved, and if they knew for a fact that someone’s data was stolen and misused, their notification letter offered them free services through IDExperts. So what help and assistance wasn’t made immediately available?

And what information was withheld that Pam thinks is important for the “entire truth” to be told?

In my opinion, ADPI should have been more transparent with respect to the number of patients whose records were known to have been copied and misused (category 1), those whose data were copied but there’s no available evidence of misuse at this time (category 2), and those whose information might have been copied (category 3). It’s also difficult for members of public to know whether they should be concerned because there’s no disclosure of all of the ambulance services that were affected. Someone who moved and may not receive a notification letter would have no way of knowing if their data had been stolen and misused unless they call the number. That said, I understand from similar situations in the past that ADPI may feel it is not their place to disclose their clients’ names as the clients should be able to decide whether and when they want to publicly disclose that their patients were affected.  Had ADPI simply listed all their affected clients, the clients might not have been prepared for calls from concerned patients, etc.

But ADPI probably could have and should have included some statement in their disclosure and notifications as to whose information was at risk. Was it only patients who used an ambulance service/client’s service between January of 2012 and July 2012, for example, or anyone who used one of their clients’ ambulance services since 2006 or ……?  Such information often helps the public figure out whether they might be at risk and should call the phone number provided if they did not receive a notification letter.  Does ADPI know the answer to that question?  If so, they should have provided it. If not, they should have said that at this time, they don’t know but will disclose that once their investigation is complete.

Another question that is as yet unanswered clearly by ADPI is whether this employee had access to the computerized database or if s/he was copying from paper records that came across his/her desk. If it was theft/copying of electronic records, then there are a lot of other questions that I would ask, too, but until we know whether this was a breach of electronic or paper records, those questions may be premature.

So… if you read ADPI’s statement about the breach and their notification letters, what did you think? What else should they have told people and what else should they have done, if anything?

Category: Health Data

Post navigation

← FL: Volunteer at Jackson North used smartphone to steal data
135 Sites breached as #OpLeak pushes on →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.
  • Websites selling hacking tools to cybercriminals seized
  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The US Is Storing Migrant Children’s DNA in a Criminal Database
  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.