BreachExchange mailing list archives
Security Bill May Leave Health Data at Risk
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 4 May 2015 18:30:12 -0600
http://www.healthdatamanagement.com/issues/23_5/PATIENT-DATA-PROTECTION-Security-Bill-May-Leave-Health-Data-at-Risk-50439-1.html Draft congressional legislation to create a national standard on data security and breach notification does not address healthcare data, leaving consumer health information vulnerable, according to the Federal Trade Commission. A draft bill, authored by House Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-Tenn.) and Rep. Peter Welch (D-Vt.), would require certain entities that collect and maintain personal information on individuals to secure that information and provide notice to individuals in the case of a security breach. However, Jessica Rich, director of the Bureau of Consumer Protection at the FTC, told a House subcommittee in March that the draft Data Security and Breach Notification Act of 2015 does not cover certain types of consumer information such as health data, "even though misuse of this and other information can cause real harm, including economic harm, to consumers." Rich warned lawmakers that "bad actors" have an economic incentive to target valuable health data for the purpose of selling it to debt collectors or private investigators. "The Commission has seen instances where bad actors have hacked into company systems and stolen consumers' personal information in order to extract payments for its return," she testified. A breach revealing that an individual attends counseling for addiction could result in economic and physical harm, Rich said, and revelations about an individual's cancer treatment might cause the patient to lose a job. She argued that firms collecting information about an individual's physical or mental health condition should have a duty to provide reasonable security for this data. Some of the state data security and data breach laws that protect this information would be preempted under the draft bill, Rich said. She argued that the situation also is complicated by the fact that businesses operating in the consumer-generated and -controlled health information space might not be covered by HIPAA and, as a result, might not be subject to HIPAA's data security protections. Rep. Michael Burgess (R-Texas), chairman of the House Energy and Commerce Committee's Subcommittee on Commerce, Manufacturing, and Trade, said while he hopes the committee will have an opportunity in the future to look at the issue of healthcare data, that should not prevent Congress from moving forward with legislation.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Security Bill May Leave Health Data at Risk Audrey McNeil (May 12)