The FastHealth breach is confusing the heck out of patients and employees. I’m getting inquiries from folks who are understandably suspicious because they never heard of the firm or can’t figure out how their details got caught up in this all. Others see news reports and realize that an entity has no connection to them, so they can’t figure out what’s going on at all. And yet others see numbers on HHS’s breach tool and have no idea whether that number represents one entity’s patients or more than one entity or all…. (Hint: I’ll bet you a pot of coffee that it’s definitely not all or even most).
Case in point from today’s news from Michigan:
Community members may have received a letter from FastHealth Interactive Healthcare notifying them of a security incident. War Memorial Hospital has received inquiries from staff and community members regarding the legitimacy of the letter. FastHealth provides website programming and hosting for hundreds of hospitals and other healthcare organizations. Fasthealth provided these services for WMH from January 2009 through August of 2013.
FastHealth cannot notify patients or employees unless the entity with whom they have a contract has that as part of their contract. Would it likely be infinitely less confusing to patients and employees if the covered entities themselves notified their current and former patients and/or employees? I have no doubt it would. But there’s nothing that requires that by law.
Do we need to change the regulations so that a business associate or third party must disclose the names of all of their covered entities that are impacted by a breach? I can imagine there would be a lot of resistance to that idea, but if the purpose of notification is to help mitigate harm from breaches, then wouldn’t a less confusing approach be in order?