One of the things that happens with a blog like this one or DataBreaches.net is that an organization discovers that I’m covering their incident and starts checking my blogs to see what I’m writing. At the same time, I’m checking other sites to see what they’re saying. This week, I’m obviously focused on the ADPI breach as it appears to be a large breach that may have been mirrored in other HIPAA-covered entities around the state (or country). If ADPI wants to turn lemons into lemonade, they have an opportunity to help us all learn from this breach and harden our security against future incidents of this kind.
But something I just read on ModernHealthcare.com gave me pause.
In his coverage of the breach, Joseph Conn got a statement from Pam Dixon of the World Privacy Forum. I have tremendous respect for Pam and and the WPF, and I found her comment a bit puzzling:
“The next thing we can say, the way this company has made breach notifications, is really poor business practice,” Dixon said. “This is disingenuous. If someone’s information has been sold to a crime ring, they need to get help and assistance almost immediately. Best practice dictates that people are told quickly and the entire truth is told.”
What is it that ADPI could have done that Pam thinks they should have done or could have done but did not do? They say they discovered the breach on October 1 and mailed notification letters on November 29. They told people what kinds of information were involved, and if they knew for a fact that someone’s data was stolen and misused, their notification letter offered them free services through IDExperts. So what help and assistance wasn’t made immediately available?
And what information was withheld that Pam thinks is important for the “entire truth” to be told?
In my opinion, ADPI should have been more transparent with respect to the number of patients whose records were known to have been copied and misused (category 1), those whose data were copied but there’s no available evidence of misuse at this time (category 2), and those whose information might have been copied (category 3). It’s also difficult for members of public to know whether they should be concerned because there’s no disclosure of all of the ambulance services that were affected. Someone who moved and may not receive a notification letter would have no way of knowing if their data had been stolen and misused unless they call the number. That said, I understand from similar situations in the past that ADPI may feel it is not their place to disclose their clients’ names as the clients should be able to decide whether and when they want to publicly disclose that their patients were affected. Had ADPI simply listed all their affected clients, the clients might not have been prepared for calls from concerned patients, etc.
But ADPI probably could have and should have included some statement in their disclosure and notifications as to whose information was at risk. Was it only patients who used an ambulance service/client’s service between January of 2012 and July 2012, for example, or anyone who used one of their clients’ ambulance services since 2006 or ……? Such information often helps the public figure out whether they might be at risk and should call the phone number provided if they did not receive a notification letter. Does ADPI know the answer to that question? If so, they should have provided it. If not, they should have said that at this time, they don’t know but will disclose that once their investigation is complete.
Another question that is as yet unanswered clearly by ADPI is whether this employee had access to the computerized database or if s/he was copying from paper records that came across his/her desk. If it was theft/copying of electronic records, then there are a lot of other questions that I would ask, too, but until we know whether this was a breach of electronic or paper records, those questions may be premature.