17 October 2011

Try caring, not sharing

In following up the recent item regarding litigation against Stanford Hospital over a data breach involving 20,000 patient records I note a proposed US$4.9bn class action against the US Defense Department over the TRICARE healthcare system for military personnel and their families.

The lawsuit alleges that the DOD failed to adequately protect private data (ie did not encrypt sensitive personal information) and exhibited "intentional, willful and reckless disregard" for patient privacy rights, including delays in notifying people whose data had been exposed. The plaintiffs seek US$1000 in damages for each of the 4.9 million individuals affected by the breach.

Last month it was revealed [PDF] that names, addresses, phone numbers, clinical notes, Social Security Numbers, pathology and other personal health data regarding around 4.9 million people (over 20 years) featured on unencrypted backup tapes stolen from the car of a Science Applications International Corporation (SAIC) at the employee's residence. The corporation is a TRICARE contractor. We might wonder about the prudence of leaving such data lying around.

The DOD advises that -
The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure," according to the Tricare statement. "Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low.
As a result the Department and SAIC will identify individuals who were exposed; those people will receive a notifications by mail over a six week period. SAIC is reported to be paying for the contact exercise but will not be funding free consumer alert services under the Health Insurance Portability & Accountability Act (HIPAA) regulations, amid claims that the data is covered by weaker Federal Trade Commission rules.