I’ve occasionally blogged about how frustrating it can be to try to notify an organization that they’ve apparently been hacked or had a breach. When that organization is a hospital and I can’t reach anyone, it’s even more frustrating. This week, it happened again. I ranted in Twitter a bit, and Jake Kouns suggested I write it up for the DataLossDB.org site and include some recommendations for organizations. I’ve now done that, here. My recommendations are fairly simply, but important, and I hope HIPAA-covered entities (and all organizations that store PII or PHI, for that matter) take them to heart and implement them.
And for the record, I still haven’t gotten a call back from the hospital that inspired the rant.