
Breaches of Unsecured Protected Health Information - jtwarren
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
======
fricat1ve
Electronic health records have been way oversold. Expecting every little
medical office to have industrial-grade data protection makes them far more of
a liability than they are worth.

At best mostly subjective observations, at worst full of outright errors,
they're largely useless from a health care perspective let alone for research
purposes.

~~~
gervase
In my (relatively limited) experience, most small medical offices pay for
cloud-based EHRs on a subscription basis for this exact reason. Have you
observed differently?

With regards to the usefulness of medical records, I don't know enough on the
topic to address that point.

~~~
jacquesm
> In my (relatively limited) experience, most small medical offices pay for
> cloud-based EHRs on a subscription basis for this exact reason

That mostly increases the size of the bucket without much in terms of
guarantees of the maintainers of that bucket getting it right.

------
killjoywashere
Since you're looking for ugly lists

FDA disbarred investigators

[https://www.fda.gov/ICECI/EnforcementActions/FDADebarmentLis...](https://www.fda.gov/ICECI/EnforcementActions/FDADebarmentList/default.htm)

FDA compliance proceedings

[https://www.accessdata.fda.gov/scripts/SDA/sdNavigation.cfm?...](https://www.accessdata.fda.gov/scripts/SDA/sdNavigation.cfm?sd=clinicalinvestigatorsdisqualificationproceedings&previewMode=true&displayAll=true)

------
delbel
There's some kind of database called MIB that sells all your medical
information like a credit report. I haven't figured out how to opt out of it
or where exactly they get the data so I can opt out of it before they even
send it. It's some kind of horrific atrocity. Please somebody expose this to
everyone:
[https://www.mib.com/request_your_record.html](https://www.mib.com/request_your_record.html)

~~~
Dayshine
>a member company cannot search MIB or report information to MIB without the
applicant’s knowledge and authorization.

Sounds like you consented...

~~~
jcims
Maybe. It's up to the member company to obtain the consent and report as such
to MIB.

I just started shopping for term life insurance recently and have an
application that was emailed to me by a local agent. It looks very much like
this one
([http://www.adkissoninsurance.com/forms/grangelifeapp.pdf](http://www.adkissoninsurance.com/forms/grangelifeapp.pdf)),
EXCEPT someone has removed the Notice of Information Practices at the top

Page 5 contains the authorization details.

Here's what page 5 looks like on my application -
[https://imgur.com/a/zk9ZQ](https://imgur.com/a/zk9ZQ) (also Grange)

This is from a top tier life insurance provider, who knows what kind of
shenanigans are going on out in the wild.

Edit: Just sent an email to my agent asking for a copy of that Notice of
Information Practices doc, we'll see what happens lol.

------
telchar
I wonder how many of these are encrypted systems. I see a lot of "theft" and
"loss" on that list. I know if I were to lose a system that had PHI on it I
would be required to report the breach even if the system had full disk
encryption. I'd bet many or most of these are similar.

~~~
miles
> _if I were to lose a system that had PHI on it I would be required to report
> the breach even if the system had full disk encryption_

According to the Texas Medical Association[0],

> there are only two reasons a lost device may not have to be reported as a
> breach under the HIPAA Breach Notification Rule: (1) no PHI was on the
> device, or (2) the PHI is unusable - encrypted with FIPS 140-2 encryption

[0]
[https://www.texmed.org/HIPAALostLaptop/](https://www.texmed.org/HIPAALostLaptop/)

------
Sylos
> As required by section 13402(e)(4) of the HITECH Act, the Secretary must
> post a list of breaches of unsecured protected health information affecting
> 500 or more individuals.

Well, I'm glad this random webpage is broadcasted into the internet and
therefore everyone is properly informed about these breaches.

This is the same as Google providing that page somewhere deep in the account
settings where you can view what data they have on you. It's beneficial for
them to provide this, because 99.99% of users will never find it anyways. And
those that are concerned can be calmed down by it.

------
ams6110
I care less about health info privacy than identity. When I was a kid,
hospital admissions were published in the daily paper. Nobody thought much of
it.

The number of people interested in your health is tiny. The number of people
interested in your money, and motivated to try to take it from you, is much
higher.

~~~
dfee
Enjoy: Your medical record is worth more to hackers than your credit card

[https://www.reuters.com/article/us-cybersecurity-
hospitals/y...](https://www.reuters.com/article/us-cybersecurity-
hospitals/your-medical-record-is-worth-more-to-hackers-than-your-credit-card-
idUSKCN0HJ21I20140924)

~~~
ams6110
> names, birth dates, policy numbers, diagnosis codes and billing information

In other words, identity information.

------
vxxzy
Hint: Don’t press “Archive” or you wont’t be able to sleep at night. Crazy how
many breaches have occurred.

~~~
jtwarren
I think it's interesting that while there are a ton of breaches, we only know
about them because HHS requires breach reporting when it affects over 500
patients. How often is this happening in other industries where such
regulations don't exist?

~~~
killjoywashere
This is the thing. HIPAA is really a gold standard in data security
legislation. As terrible as it is (e.g. the fax machine loophole, which is
surely put there for lawyers), at least there's something punitive. And other
things can be tied to it: grants, FDA can disbar them from collaborating in
drug development, etc.

Imagine breach notifications for a company like Facebook. FCC could disbar you
from transmitting data over mobile networks.

~~~
djrogers
In California that’s been the law for over a decade. Arguably, California’s
breach disclosure law is the reason we know about the vast majority of large
breaches we hear about.

------
arkades
The NYS Office of Mental Health appears to have been breached.

------
craftyguy
HIPAA should burn these companies/organizations. Should.

~~~
killjoywashere
And then what? Where does the population go for care? Better to have a track
record on long-standing organizations that play whack-a-mole.

~~~
craftyguy
A doubt the penalties for violating HIPPA are going to put any of these out of
business. I said 'burn', not 'destroy'.

~~~
jlgaddis
> _HIPPA_

HIPAA

