The recent ruling by U.S. District Judge Legrome D. Davis in the case of Allison v. Aetna is another proof point that the threat of identity theft caused by a data breach is not sufficient grounds for litigation. No damages equates to no victims, which mitigates one of the major risks of a breach.
Best practice suggests performing an incident risk assessment to determine the potential risk of harm to individuals when a breach of PII or PHI occurs. We suggest looking at the sensitivity of the data disclosed and the specific context of the breach which will provide an incident risk level. Using these two dimensions of risk provides a consistent basis for determining the potential risk of harm.
An example of this approach is a recent breach of medical records from a large hospital. The breached records included name, address, medical ID number, and diagnosis. No social security numbers were disclosed. By definition this is protected health information.
Would the disclosure of this information create a potential risk of harm for the individuals affected, triggering breach notification under the HITECH Act?
The sensitivity of this data may be low if these were adults, but upon further investigation we found that this information belonged to children, many of which were wards of the state. The information had psychiatric data. All of these facts leads to an assessment that the sensitivity of the disclosed information creates high risk.
To evaluate the incident breach risk, we looked at how the breach happened. In this case, an employee had received a new laptop. The policy for this hospital was to encrypt all laptops. However, upon investigation, IT discovered that the employee had removed the laptop from the network before the encryption process had completed, leaving the records unencrypted. The employee had left the laptop in the trunk of their car in their garage. Unfortunately, the employee’s garage and car was broken into. The employee discovered the theft when they returned from vacation and reported it to the hospital. The context of this incident warranted a high level assessment of risk when you evaluate both the sensitivity of the data and the context of the breach.
This hospital made the decision to notify the affected patients because of the potential risk of harm. Will these patients fall victim to identity theft creating a potential legal risk? It is hard to tell, but 5 years or 10 years from the date of the breach, some number of these affected patients will be victims of identity theft. Best practice is to have notified individuals and provided them with information and tools to protect themselves.
Similar Posts:
- New RADAR tool for HITECH data breach risk assessments
- Are You Ready for a Healthcare Data Breach?
- National Data Security and Notification Legislation Underway
- South Shore Hospital Data Breach Could Affect 800,000
- TN Medical Center Notifies 8,000 Patients About Possible Data Breach
