The Identity Theft Resource Center (ITRC) recorded 341 individual data breaches for the first six months of 2010. For 46% of breaches, the number of records potentially affected weren’t disclosed, and for 38%, no cause was disclosed. Hundreds more went unreported, said the organization.
The ITRC first began maintaining a detailed list of data breaches, updated weekly, in 2005. According to the ITRC, some USA states have a protected breach list that is not made public , or is only accessible by exercising the Freedom of Information Act. One state, had a list of 200 breaches, but little information was disseminated, publicly, about the number of records affected.
For medical data breaches, the Department of Health and Human Services (HHS) has created a “risk of harm” threshold for notifications under which when an organization determines that a data breach hasn’t caused “a significant risk of financial, reputational, or other harm to individual,” then it doesn’t have to report the breach, either to the person whose information was breached or to law enforcement agencies.
So “despite a law stating that all medical breaches involving more than 500 people must be listed on the Health and Human Services breach list, ITRC recorded medical breaches that never made the list,” according
The “risk of harm” medical record clause was first disclosed in August 2009. and the Center for Democracy and Technology challenged the loophole, arguing that “the primary purpose for mandatory breach notification is to provide incentives for healthcare companies to protect data.”
In other words, if healthcare companies properly invest in security, they can avoid data breaches, and the attendant cost of related fines. “However, the harm standard institutionalized in HHS’s interim final rule cripples this crucial incentive,”
Allowing organizations to conduct their own risk assessment, and to then determine whether or not to notify people whose records have been affected, leads to underreporting of the extent of data breaches and provides an incomplete picture of which organizations adequately safeguard people’s personal information. “Consumers want to know if they are at risk from even a small breach,” according to the ITRC. “The details of a breach help determine their risk factors as well as guide them in proactive measures.”
