BreachExchange mailing list archives
Lots of health data breaches reported to HHS, only trivial ones to FTC
From: Christine Fulgham <christine () opensecurityfoundation org>
Date: Thu, 14 Oct 2010 16:00:29 -0400
http://blog.securityarchitecture.com/2010/10/lots-of-health-data-breaches-reported.html With just over a year having passed since the health data breach notification rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect, and interesting contrast has emerged between the breaches disclosed to the Department of Health and Human Services (HHS) by HIPAA-covered entities and business associates and those disclosed to the Federal Trade Commission (FTC) by organizations that provide personal health records (PHRs) and associated services, but are not covered by HIPAA. As reported on Monday and evidenced by the complete listing of breaches posted by the FTC, as far as the FTC is aware there have been no major breaches (those involving 500 or more individuals) in the past year. All 13 of the breaches reported to the FTC involved lost or stolen credentials, which presumably could result in an unauthorized party gaining access to a user's personal health information, but no actual loss of data seems to have been involved. It may or may not be interesting to note that all the breaches reported also came from one company: Microsoft. In contrast, the current count of breaches reported to HHS is 181, all of which involve 500 or more individuals, many of which apparently involve loss or theft of data (or laptops or other paper or electronic record storage devices). It seems fair to ask, can any substantial conclusions be drawn from the paucity of breaches reported to the FTC or their relative triviality? No one appears to be suggesting that the data protection practices of organizations subject to the FTC's data breach rule are superior to those of those covered under HHS' rules, so why so few breaches reported to the FTC? Several possible explanations come to mind, only some of which have anything to do with security or privacy practices: [...]
_______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- Lots of health data breaches reported to HHS, only trivial ones to FTC Christine Fulgham (Oct 15)