Columnist questions lack of medical data theft info

The new Health Information Technology for Economic and Clinical Health Act (HITECH Act) sets rules for how health care providers must disclose data breaches that involve more than 500 patients.

But Los Angeles Times consumer affairs columnist David Lazarus writes that the Department of Health and Human Services isn’t “exactly being generous with details about people’s confidential medical info being hacked or going astray.”

He refers to a breach from way back on Sept. 27, in which the records of more than 18,000 patients—all belonging to at least five different doctors in Torrance, Calif.—were potentially accessed.

Lazarus wonders: “Were the doctors in the same office? Were they in the same building? Did they share a single computer? Did they share office staff? Or was it just a fluke that five local doctors' offices were hit by cyber-thieves on the same day? More to the point, were people's Social Security numbers involved? What about billing information?”

The HHS database doesn’t offer answers, nor does it even identify the doctors involved, Lazarus writes. This lack of knowledge is detrimental to the public, he adds, noting that people shopping around for a physician might want to know those particulars. Also, the threat of public disclosure would provide “a strong incentive for businesses and service providers to improve their security measures.”

Here’s the government’s response, according to the article: breaches are only now being disclosed because the new law gave doctors, hospitals and other providers a six-month grace period before they had to start reporting about lost data. Another grace period gives medical facilities another 60 days to report any breach after an incident occurs. Then, HHS staff has to verify an incident before word of it can be passed along to the public.

“The main point of the law is not to put notices up on the Web site,” said Georgina Verdugo, director of the agency’s Office for Civil Rights, which oversees privacy matters for HHS, in the Times column. “It's to trigger a regulatory investigation.” One thing to keep in mind is that for the vast majority of states, this is the first time medical information is being held to the same level of required notification as financial or credit card data. And even if the amount of information being disclosed is less than ideal, the HHS database remains a rare government source of data breach information—at the very least, a step toward responding to the problem.