Hospitals often fail to notify patients of data breaches

Jon Brodkin of Network World writes:

If your medical records were exposed in a security breach, would you expect the hospital to tell you? You shouldn’t. Because of regulatory loopholes, only 56% of healthcare organizations that have exposed medical records notified the patients involved, survey results issued this month found.

“There are loopholes in almost every law regulating patient data management, including the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act of 2002 (SOX), and Payment Card Industry Data Security Standards (PCI DSS) that have enabled breach cases to go unreported, preventing an accurate report on frequency,” says the 2008 HIMSS Analytics Report: Security of Patient Data, commissioned by Kroll Fraud Solutions.

The loopholes allow hospitals to cite “reasonable efforts,” “acceptable measures,” and similarly vague language to avoid notifying patients, the report states.

More than 1.5 million names were exposed in data breaches occurring in hospitals in 2006 and 2007, according to data cited by HIMSS Analytics.

Full story – Network World

Comment: I haven’t yet had time to read the HIMSS Analytics report in its entirety, but that 1.5 million number is something that I can comment on now. The study seemed to rely on’s DataLoss project. Because of Attrition’s focus and inclusion criteria, they do not include many small breaches that this site includes in our reports and analyses. There are many breaches due to insider theft of information or insider misdoing that never get included in’s figures. Similarly, does not indicate in their database whether the names and details exposed in a hospital breach are those of employees or of patients.

If you look at this site’s Chronology of Breaches for 2006 and for 2007 (both .pdf), you will only see hospitals listed if the breach affected patient data. And if we only look at patient data, then the statistic relating to hospital breaches drops to probably under 800,000 for 2006 and 2007. Of course, the chronologies only include cases or stories that were reported in the media or that we uncovered via disclosures to states attorney general, etc. The HIMSS Analytics report may reflect data or incidents never reported in the media.

No matter what source one uses, we are still only seeing the tip of the iceberg, and I agree with the overall conclusion that patients are not being notified enough.

About the author: Dissent

Comments are closed.