New River Health Association breach highlights a source of confusion in HHS breach tool
I love HHS’s breach tool, but it remains a source of frustration. Consider this newly added entry:
“New River Health Association ,WV,,950,4/1/2011,Unauthorized Access/Disclosure,Paper,,”
We know who, we know how many, we know when, but we don’t know what data types were involved, and for those who try to analyze breach data, there’s a big difference between “unauthorized access” and “disclosure.” The latter could be a web exposure, it could be papers left lying in a public area, it could be an email attachment that wasn’t sent in encrypted form (although in this case, we are dealing with paper records). And “unauthorized access” could be employee snooping or an employee who was stealing information to use for fraudulent purposes, to name but two possible scenarios.
So what went wrong here? There’s no notice on the New River Health Association to tell us and no media coverage. In time, we will likely find out – if for no other reason than some of us file under Freedom of Information to obtain data that we use for statistical analyses. In the meantime, we can only scratch our heads.