BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Lots of health data breaches reported to HHS, only trivial ones to FTC

From: Christine Fulgham <christine () opensecurityfoundation org>
Date: Thu, 14 Oct 2010 16:00:29 -0400
http://blog.securityarchitecture.com/2010/10/lots-of-health-data-breaches-reported.html


With just over a year having passed since the health data breach
notification rules mandated by the Health Information Technology for
Economic and Clinical Health (HITECH) Act went into effect, and interesting
contrast has emerged between the breaches disclosed to the Department of
Health and Human Services (HHS) by HIPAA-covered entities and business
associates and those disclosed to the Federal Trade Commission (FTC) by
organizations that provide personal health records (PHRs) and associated
services, but are not covered by HIPAA. As reported on Monday and evidenced
by the complete listing of breaches posted by the FTC, as far as the FTC is
aware there have been no major breaches (those involving 500 or more
individuals) in the past year. All 13 of the breaches reported to the FTC
involved lost or stolen credentials, which presumably could result in an
unauthorized party gaining access to a user's personal health information,
but no actual loss of data seems to have been involved. It may or may not be
interesting to note that all the breaches reported also came from one
company:  Microsoft. In contrast, the current count of breaches reported to
HHS is 181, all of which involve 500 or more individuals, many of which
apparently involve loss or theft of data (or laptops or other paper or
electronic record storage devices).
It seems fair to ask, can any substantial conclusions be drawn from the
paucity of breaches reported to the FTC or their relative triviality? No one
appears to be suggesting that the data protection practices of organizations
subject to the FTC's data breach rule are superior to those of those covered
under HHS' rules, so why so few breaches reported to the FTC? Several
possible explanations come to mind, only some of which have anything to do
with security or privacy practices:
[...]

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/
Previous By Date Next
Previous By Thread Next

Current thread: