Data Breaches: What and When to Disclose
When a healthcare organization experiences a breach, there is so much to do, so many issues to consider. One is figuring out how much information to give the public and how quickly to give it.
Health insurer Anthem gave various estimates of the number of affected individuals following its massive hack as it tried to quickly get information out to the public and got some criticism for the changing numbers, but the company was still about 10-14 days away from being ready to start mailing notification letters when the hack was announced.
Other organizations have been criticized for not moving fast enough to go public. In many cases, local police or the FBI ask an organization to delay announcing a breach until their investigation is over, says Donna Wilson, chair of the privacy and data security practice at the law firm Manett, Phelps & Philips. “The intent is to capture bad guys and determine what they’ve done.” It can be a no-win scenario, she adds.
Companies that have suffered a major breach of protected information often haven’t yet fully completed the forensic investigation when they make the breach public and the language they use may be clumsy, or they are over-lawyered.
Muhlenberg Community Hospital in Greenville, Ky., in recent days announced and mailed notification letters after learning from the FBI in mid-September of suspicious activity in its network. But the hospital in the announcement walked around the words “hack” and “cyber-attack,” saying, “We have confirmed that a limited number of computers were infected with a keystroke logger designed to capture and transmit data as it was entered onto the affected computers.” Muhlenberg also declined to say how many individuals were affected, but that information has or soon will be given to the HHS Office for Civil Rights, which enforces the HIPAA privacy, security and breach notification rules.
The hospital may not yet be fully finished with forensics and unsure of how much it should initially disclose; which is a common issue, Wilson says. “This is still very early in the game.”
Oftentimes, she notes, an organization with a breach never gets a full answer from the forensic investigation and may over-notify—which is notifying more individuals than is really needed—in an abundance of caution because it doesn’t definitively know how long computer systems were compromised and the total extent of the damage.