The recent breach of “Jude Medical Center in Fullerton and Mission Hospital facilities in Laguna Beach and Mission Viejo” offers some examples of communication made after discovery.
First, the article gives a statement regarding obfuscation of the data:
But the data would have been difficult to access without using “a complex combination of terms” or be doing an “extensive search,” said Dr. Clyde Wesp, chief medical-information officer for the St. Joseph Health System.
Complex according to what? Compliance regulations tend not to use “complex” or “extensive” to describe controls required for privacy because computers are very good at turning both complex and extensive into easy and fast operations.
The University of Miami tried to make this argument when they lost their backup tapes. It did not fly then. It won’t fly now. Doctors, of all people, should know better than to say that complexity will be the main impediment to success.
So the question they really should answer is related to the “strength” of the control that protects data, not the complexity.
Second, the article says they are unaware of anyone obtaining the data improperly:
St. Joseph discovered the security breach within the past week after receiving a phone call from a patient’s attorney, said hospital officials, adding they do not know how the patient learned about the problem. Personnel at the two hospitals have not heard of any of the information being improperly obtained, Wesp said. The information could have been accessed from Google and Yahoo; the hospital worked with the search engines to delete the information from the Internet.
They may be trying to emphasise that it is hard to prove a negative. Yet the article also gives at least two positive examples of improper access.
The first is by the search engines. They have evidence that the data was accessed by Google, Yahoo!, and so forth. Did they authorise search engine access? No.
The second is by the patient’s attorney. Clearly the patient’s attorney obtained something akin to improper access, which is why they contacted the entity.
This also undermines their “difficult to access” communication in the first point. It is easy to use a search engine. It must have been easy enough for the patient and/or their attorney to find the data and access it, so how complex is it really?
Third, they try to give some of the usual disclaimers:
It would not have included Social Security numbers, addresses or financial data, the doctor said. “I think that the most important thing is that our response was rapid,” Wesp said. “As a health system, we have secured the sites, and this information is not available any longer.”
These no longer carry any weight. Regulators, as well as patients, have expanded the scope of concern beyond basic financial information. Email addresses, birth dates, intellectual property, even zip codes are increasingly considered privacy-related information. And if they want us to believe the data was not privacy-related, why would they report the breach at all?
It’s nice to see that they had a “rapid” response but I don’t know anyone who would characterise that as “the most important thing”. Everyone, I think, would agree it is more important to prevent a breach or to detect a breach internally than to respond rapidly. That certainly has been the perspective taken by regulators who have fined entities for failure to prevent breaches. Rapid response just lessens the penalties, it does not take them away.