May 262010

A breach that was not reported on this site initially but was covered on, apparently involved medical information, too, as we now learn…

As a follow-up to previous coverage about the stolen Lake Ridge Middle School stolen thumb drive here and here, Andrea McCarren of WUSA-9 provides some additional details that have infuriated parents (emphasis added by me):

The device was taken from a bag in an administrator’s unlocked car in her unlocked garage.

….. On the stolen thumb drive: personal information on more 1,200 students-their names, phone numbers and sensitive information, including whether they have a medical condition.

Dollars to donuts says they don’t report this to HHS even though it has names and medical conditions, because these things are considered education records. There is a huge gap in protection and notification laws here, folks…..

  2 Responses to “Stupid is as stupid does: the Lake Ridge Middle School breach”

  1. There isn’t a need for them to report to HHS, as the school isn’t a covered entity under HIPAA. This would probably be a violation of FERPA, which is supposed to protect educational records, including health information held by educational institutions.

    • There isn’t a law requiring them to report it to HHS and FERPA doesn’t require reporting or notification. Lovely. As I said, there’s a gap.

Sorry, the comment form is closed at this time.