It’s often quite difficult to code incidents for analysis purposes. Consider the following notification’s description of what happened, as one example:
Mesa, AZ: November 3, 2021 – Baywood Medical Associates, PLC dba Desert Pain Institute (“DPI”), a health care provider specializing in pain management located in Mesa, Arizona, has become aware of a data security incident that may have resulted in unauthorized access to the sensitive personal information of some former and current patients and employees. DPI is notifying via first-class mail any individual whose information may have been present during the unauthorized access to provide details about the incident, steps the firm is taking in response, and resources available to help protect against the potential misuse of personal information. DPI sincerely regrets any concern or inconvenience this matter may cause, and remains dedicated to ensuring the privacy and security of all information in our control.
On September 13, 2021, DPI detected and stopped a network security incident. Upon discovery of this incident, DPI promptly secured and began remediating our network. DPI also engaged a specialized third-party cybersecurity firm to conduct a comprehensive investigation to determine the nature and scope of the incident. On October 15, 2021, the forensic investigation concluded and found evidence that some DPI files were available to the unauthorized actor during the incident.
Although DPI is unaware of any fraudulent misuse of information, it is possible that individuals’ full name, address, date of birth, Social Security number, tax identification number, driver’s license/state-issued identification card number, military identification number, financial account number, medical information, and health insurance policy number may have been exposed as a result of this unauthorized activity. Notably, the types of information impacted varied by individuals and no single individual had all types of information impacted.
Can you really tell from the above whether it was a malware incident or not? Can you tell whether data was exfiltrated or not? How do recipients assess their risk in light of the above?
I am not saying that the covered entity has done anything wrong or illegal or unethical by its description. What I am saying is that for those of us who try to track trends or incidents, it’s often hard to figure out with any confidence what happened from a document that should be informing people who were impacted by an incident. Maybe revised disclosure templates should have a specific section in any FAQ that addresses “Was Malware/Ransomware Involved?” “Has Any Data Been Leaked or Dumped by Now?” “Was Ransom or any Fee Paid?” And then a link to where recipients can find updates on the disclosure in case the situation changes.
Yes, this is NOT what entities want to hear or do. But I continue to maintain that the ultimate victims — the patients, employees, or consumers — cannot really gauge their risk and make decisions as to how best to protect themselves if they are not given more information about what happened and what we know or do not know. And there really does need to be a requirement and method to provide updates if more information becomes available or the situation and risk changes.