Howard Anderson reports:
… A personal health record is an “electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual,” according to the FTC.
Last year, the FTC issued a PHR breach notification rule, as called for under the HITECH Act. Under the rule, which took effect Sept. 24, 2009, major breaches must be reported to the FTC within 10 business days. PHR vendors, and certain companies with which they do business, must report any size breach to the individuals affected within 60 days. But they only have to report the smaller incidents to the FTC annually, 60 days after the start of the calendar year.
Read more on GovInfoSecurity.
So far, of the 13 breaches involving unsecured PHR reported to the FTC, all have been reports by Microsoft, and all involved individual cases of lost or stolen credentials. Only one incident involved more than 1 person, and that incident involved 3.