Privacy violations: Small breaches also pose danger but rarely addressed

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.fiercehealthcare.com/story/privacy-violations-small-breaches-also-pose-danger-rarely-addressed/2015-12-10


In an era of increased concerns about patient privacy within the healthcare
industry, most of the attention focuses on large-scale breaches; indeed,
five such incidents this year compromised nearly 100 million private
records. But this focus means smaller-scale breaches affecting only one or
two patients often fly under the radar, according to Pro Publica.

It seems counterintuitive, but larger-scale violations often lead to little
in the way of actual harm. Smaller-scale cases, such as that of a New
Jersey hospital employee who exposed data on an 11-year-old boy's suicide
attempt, often have more immediate consequences, but federal authorities
are slower to penalize them. In these cases, the federal Office for Civil
Rights typically acknowledges the wrongdoing and pledges to correct any
issues, often reminding the offending provider of the provisions of the
Health Insurance Portability and Accountability Act (HIPAA), the article
noted.  But the office does not publicize numbers for small breaches or
which organizations are responsible for them.

Victims of HIPAA violations do not have the option to sue for damages, and
their alternate options vary by state. For example, a woman whose human
papillomavirus status was publicized on Facebook by a patient care
technician at her local hospital was given a letter of apology that did not
specify any disciplinary action. She eventually retained Neal Eggeson, an
Indianapolis lawyer, who settled out of court with the hospital without
suing.

"The vast majority of people who come through my door honestly are upset
that no one has stepped up to the plate and said that what happened to you
was wrong," Eggeson told Pro Publica. "If the healthcare provider isn't
going to give them that satisfaction, then maybe a jury will."

Privacy violations on social media have become a controversial topic in
recent years, with cases such as a New York City nurse fired for an
Instagram post. In November, a judge ruled the hospital where one such
employee worked was not responsible for the violation because the
information was accessed outside of the employee's job duties,
FierceHealthcare previously reported.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!