Sophos Cloud Optix
Vermont and North Dakota have both decided to improve data breach notification (DBN) laws in their respective states in recent months. To a degree, this is exactly how the American system of government is designed to work.
Flesh out an idea at the state level, implement it, go back a little while later and close the loopholes and reiterate. Eventually a solid methodology becomes a general consensus across the 50 states and a Federal law can supersede them with some uniformity.
Vermont’s original bill, Security Breach Notice Act, 9 V.S.A. § 2435 (rolls off the tongue, doesn’t it?), had a bizarre exclusion for financial institutions. It is not unusual for loopholes to make it into early revisions of law, which seems to be the case here.
On May 13th Governor Peter Shumlin signed the revision into law. It now states:
"A data collector or other entity regulated by the Department of Financial Regulation under Title 8 or this title shall provide notice of a breach to the Department. All other data collectors or other entities subject to this subchapter shall provide notice of a breach to the Attorney General."
North Dakota has taken a second look at its DBN law, 51-30-01, and amended it effective August 1st in House Bill 1435.
Previously North Dakota considered PII or Personally Identifiable Information to include:
Social Security Number, Driver's license number, state ID card, financial account details (credit card, bank account, etc), date of birth, mother's maiden name, employee ID number or a copy of your signature (digital or otherwise).
The state has added two important items to this list for non-HIPAA covered entities: medical information and health insurance information.
This plugs a federal loophole allowing organizations that are not “covered entities” to ignore the rules under the HIPAA act.
Which brings me to my home state of Michigan. Last week, the Michigan Department of Community Health contacted more than 49,000 individuals to warn them they were at risk of identity theft.
A server belonging to the Michigan Cancer Consortium, containing unencrypted names, Social Security numbers, birthdates and cancer screening results, was hacked.
This would appear to be the exact situation the HIPAA law was designed to discourage. A clear violation, one might say.
Nope. Not according to the state of Michigan. The hacked organization isn’t a “covered entity.”
Under HIPAA, the Cancer Prevention and Control Section of the Department of Community Health, which shared the data with the Cancer Center, doesn’t meet the specific definition put forth by Health and Human Services.
According to a Health Data Management article, the state’s spokesperson said the data in question:
"were not medical records and therefore, no notification under HIPAA was sent to individuals. However, because the reports contained Social Security numbers, the Identity Theft Protection Act did apply."
Looks like I did the right thing by moving away. Clearly the letter of the law in Michigan is much more important than the spirit.
While it is likely they are avoiding admitting to a HIPAA violation to avoid fines and an investigation, perhaps that is exactly what is needed here to ensure this type of accident doesn’t occur again.
My name, birthdate and cancer screening results are not considered part of my “medical records?” Perhaps you ought to consult with your cousins Vermont and North Dakota for a peek at their dictionaries.
Lastly, my blog posts are never complete without some unsolicited advice. Here is some for both the state of Michigan and anyone else involved in handling *ANYTHING* related to health records.
It is all important. All of it. Every last scrap. Stop storing it on unprotected web servers. Encrypt everything.
As we have no choice but to entrust you with our information, please start treating it as if it were your own.
Nurse shredding records image courtesy of Creative Commons 3 image from Compliance and Safety
Personal Data and Health Record images courtesy of Shutterstock.
"As we have no choice but to entrust you with our information, please start treating it as if it were your own."
That. There's the problem. Neither the state of Michigan nor any other state entities (including the Feds) have any proprietary interest in the security of our information. They can't. It's not theirs.
Government (as it's currently constituted) is fundamentally NON-proprietary. That's supposed to be a good thing…like it's "objective", or something. But in fact, you've nailed it, Chet. It’s precisely the reason why it fails.
Treating our property as if it were their own is definitely on the right track. But then the “we have no choice” kicks in. And there goes the ball game.
Methinks that’s the key. WHY do we have no choice? WHY do we assume that “no choice” is a necessary system constraint? WHY can’t we fire the state of (______ …fill in the blank) and hire someone else who can do a better job? WHY should incompetent bureaucracies have an entrenched monopoly on government services? WHY do they have the authority to declare themselves exempt from the consequences of their own incompetence?
And you nailed something else, too:
"Clearly the letter of the law…is much more important than the spirit."
That's true everywhere, not just in Michigan. As the aggregate mess of laws becomes more complicated, it becomes less effective. It’s a systemic problem. More laws can’t solve the problem. They’re a palliative that makes us feel we’re converging on a solution, when in fact we’re forcing the system to diverge into chaotic behavior.
Chester,
Do your homework before accusing state officials of ignoring notification laws.
This breach was of a third party website http://www.michigancancer.org (which is a 501c3) and not a part of state of Michigan government. This is a group of doctors and nurses and hospitals.
I think you should send an apology to our government friends in Lansing, rather than throwing (inappropriate) stones. State government probably won't do this, but I would sue you if you false accused my company of "ignoring notification laws."
See this article for more information: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-46359-1.html
Will you do the right thing and talk to the vendors involved rather than making inappropriate assumptions? Will you write a correction?
I don't agree that Michigan Cancer is not a covered entity. I also believe that the intent of the law is more important than the letter. The public acknowledgment of this breach is important for residents to see how the state is handing their information (handing it to third parties who apparently have no obligation to protect it).
What use does Michigan Cancer have for my social security number? Are they providing benefits? Are they responsible for taxation?
Why is the state handing sensitive health records and personal information to non-governmental entities? Were patients informed beforehand?
If the state is authorized to do so, shouldn't they require the third party to protect the information being shared? If the third party fails to meet minimum standards for data protection, is it not the state's responsibility as well?
To determine Lansing's culpability we need honest and open information and dialog.