DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Did ADPI disclose enough in its notification and has it done enough for patients?

Posted on December 1, 2012 by Dissent

One of the things that happens with a blog like this one or DataBreaches.net is that an organization discovers that I’m covering their incident and starts checking my blogs to see what I’m writing. At the same time, I’m checking other sites to see what they’re saying. This week, I’m obviously focused on the ADPI breach as it appears to be a large breach that may have been mirrored in other HIPAA-covered entities around the state (or country).  If ADPI wants to turn lemons into lemonade, they have an opportunity to help us all learn from this breach and harden our security against future incidents of this kind.

But something I just read on ModernHealthcare.com gave me pause.

In his coverage of the breach, Joseph Conn got a statement from Pam Dixon of the World Privacy Forum. I have tremendous respect for Pam and and the WPF, and I found her comment a bit puzzling:

“The next thing we can say, the way this company has made breach notifications, is really poor business practice,” Dixon said. “This is disingenuous. If someone’s information has been sold to a crime ring, they need to get help and assistance almost immediately. Best practice dictates that people are told quickly and the entire truth is told.”

What is it that ADPI could have done that Pam thinks they should have done or could have done but did not do?  They say they discovered the breach on October 1 and mailed notification letters on November 29. They told people what kinds of information were involved, and if they knew for a fact that someone’s data was stolen and misused, their notification letter offered them free services through IDExperts. So what help and assistance wasn’t made immediately available?

And what information was withheld that Pam thinks is important for the “entire truth” to be told?

In my opinion, ADPI should have been more transparent with respect to the number of patients whose records were known to have been copied and misused (category 1), those whose data were copied but there’s no available evidence of misuse at this time (category 2), and those whose information might have been copied (category 3). It’s also difficult for members of public to know whether they should be concerned because there’s no disclosure of all of the ambulance services that were affected. Someone who moved and may not receive a notification letter would have no way of knowing if their data had been stolen and misused unless they call the number. That said, I understand from similar situations in the past that ADPI may feel it is not their place to disclose their clients’ names as the clients should be able to decide whether and when they want to publicly disclose that their patients were affected.  Had ADPI simply listed all their affected clients, the clients might not have been prepared for calls from concerned patients, etc.

But ADPI probably could have and should have included some statement in their disclosure and notifications as to whose information was at risk. Was it only patients who used an ambulance service/client’s service between January of 2012 and July 2012, for example, or anyone who used one of their clients’ ambulance services since 2006 or ……?  Such information often helps the public figure out whether they might be at risk and should call the phone number provided if they did not receive a notification letter.  Does ADPI know the answer to that question?  If so, they should have provided it. If not, they should have said that at this time, they don’t know but will disclose that once their investigation is complete.

Another question that is as yet unanswered clearly by ADPI is whether this employee had access to the computerized database or if s/he was copying from paper records that came across his/her desk. If it was theft/copying of electronic records, then there are a lot of other questions that I would ask, too, but until we know whether this was a breach of electronic or paper records, those questions may be premature.

So… if you read ADPI’s statement about the breach and their notification letters, what did you think? What else should they have told people and what else should they have done, if anything?

No related posts.

Category: Health Data

Post navigation

← FL: Volunteer at Jackson North used smartphone to steal data
135 Sites breached as #OpLeak pushes on →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • DOJ investigates ex-ransomware negotiator over extortion kickbacks
  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware
  • Senator Chides FBI for Weak Advice on Mobile Security
  • Cl0p cybercrime gang’s data exfiltration tool found vulnerable to RCE attacks
  • Kelly Benefits updates its 2024 data breach report: impacts 550,000 customers
  • Qantas customers involved in mammoth data breach
  • CMS Sending Letters to 103,000 Medicare beneficiaries whose info was involved in a Medicare.gov breach.
  • Esse Health provides update about April cyberattack and notifies 263,601 people (1)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Oregon Amends Its Comprehensive Privacy Statute
  • Wisconsin Supreme Court’s Liberal Majority Strikes Down 176-Year-Old Abortion Ban
  • 20 States Sue HHS to Stop Medicaid Data Sharing with ICE
  • Kids are making deepfakes of each other, and laws aren’t keeping up
  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.