Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

"ATTENTION VIRGINIA I have your sh**!"

In April of 2009 a hacker infiltrated the network of the Virginia Department of Health Professions and stole over eight million patient records and 35 million prescriptions. The hacker posted a note on another site which read:

"ATTENTION VIRGINIA I have your sh**! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("

The note went on to demand $10 million within seven days, after which he threatened to put the information up to the highest bidder. Virginia officials determined they did have a proper backup and did not pay the ransom. However, Virginia notified only the 530,000 individuals whose records were believed to contain social security numbers rather than all eight million patients affected by the breach. That means almost 7.5 million consumers were not alerted to the risk that their medical data may have been compromised.

In one way Virginia officials were lucky. Had the incident occurred just five months later - after HITECH's breach notification rule went into effect - the Virginia Department of Heath would have been required to notify all 8.2 million patients of the incident, and incur the associated costs. Those costs aren't trivial: 2011 estimates suggests a data breach costs $214 per compromised record and averages $7.2 million per data breach event.

Under the HITECH Act, covered entities and business associates must follow the data breach notification reporting obligations when there is a breach of unsecured personal health information (PHI). So what does "secured PHI" look like? The DHHS has issued guidance that amounts to a rather narrow window, as there are only two methods identified that would render patient data unusable, unreadable, and indecipherable:
encryption and destruction.

Or looking at this another way, covered entities and business associates that would otherwise be obligated to follow HITECH's breach notification requirements have two "safe harbors" available: encrypting or destroying the data prior to the breach.

Image by simonok at www.sxc.hu.

blog comments powered by Disqus