Online information needs better protection

Published September 19, 2011

UM expert says remedies must focus on empowering consumers, punishing breaches

By Eric Chapman
2:41 PM EDT, September 19, 2011

Two recent stories have highlighted how confidential health and patient data are at risk. First, a report from the Department of Health and Human Services' Office of Civil Rights noted that nearly 8 million Americans were affected by almost 31,000 health information breaches in the course of a year. Alarmingly, nearly 70 percent of the investigations into data breach incidents that affected 500 people or more remain open.

Second, a medical data breach of 20,000 emergency room patients at Stanford Hospital was discovered by a patient after the information had languished online for nearly a year. The information included names, diagnosis codes, admission and discharge dates, and billing charges.

While the report from the Department of Health and Human Services confirms that medical information breaches are occurring with disturbing frequency, the fact that the Stanford Hospital patient data remained available online for a year is especially shocking.

Two problems must be addressed to right this wrong that is affecting so many Americans. First, hospitals and those who contract with them must take better steps to protect confidential patient information and files. As our nation begins the push toward electronic medical health records, consumers must have the confidence that their personal information is adequately protected from inadvertent disclosure.

Next, and more importantly, consumers must be notified in a timely and efficient manner that their personal information was disclosed to an unintended party. Currently, there is a patchwork of 47 distinct state laws that require businesses to notify consumers if cyber-intruders have accessed consumers' personal information.

In May, the Obama administration submitted a comprehensive cybersecurity legislative proposal to Congress. Among other provisions, this package included a requirement that would standardize, simplify and harmonize the data breach notification requirements in existing state laws. Notifications would be made "without unreasonable delay," meaning in 60 days or less, provided there is not a compelling law enforcement reason to extend the delay for investigative purposes.

Prospects for the successful enactment of comprehensive cybersecurity legislation are far from certain; portions of the comprehensive package are considered controversial. Realizing this, the Senate Judiciary Committee is poised to address three differing data breach notification bills.

Although data breach notification extends beyond the disclosure of medical information, three important priorities should guide lawmakers in their debate to standardize notifications to consumers whose personally identifiable information and data have been inappropriately accessed:

Empower consumers with information. Patients assume that the information they entrust to a medical provider will be treated with utmost care and confidentiality. When that trust is broken, they must be notified within 30 days - and preferably sooner - unless there is a pressing national security interest for not doing so. California state law requires notification within five days of discovery, while others allow much greater time to notify consumers.

Empower consumers to take action. Users must be presented with potential remedies when their private information has been put at risk. This includes providing them free access to identity theft and protection services.

Impose penalties on those responsible. California and Massachusetts have taken the extraordinary step of fining hospitals in the past for delayed notification of breaches. This trend must continue, and the fines imposed must continue to escalate for hospitals to take data protection seriously. Moreover, the hospital itself needs to specify and verify that contractors with whom they work, such as billing services, adhere to guidelines to better protect patient information.

It is imperative that our elected officials take immediate steps to better protect the vast amounts of personally identifiable information that are electronically stored. A good starting point would be to enact - without further delay - a national data breach notification law.

Eric Chapman is associate director of the Maryland Cybersecurity Center on the campus of the University of Maryland, College Park. He was previously a professional staff member on the Senate Select Committee on Intelligence. His email is echapman@umiacs.umd.edu.

See full story in Baltimore Sun