There has been new information published regarding the disclosure by Google in January 2010 of theft of proprietary computer information by Internet intruders. On April 19, 2010, John Markoff wrote in The New York Times that a Google “password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications” had been breached. The article goes on to say:
The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google’s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as “cloud” computing, a single breach can lead to disastrous losses.
You control who can access your personal health information. By default, you are the only user who can view and edit your information. If you choose to, you can share your information with others.
Included among the statements in the Google Policy under the heading “How Google uses your information” is the following:
To store your information in Google Health, you will need a Google Account. When you create a Google Account, Google asks for your email address and a password, which is used to protect your account from unauthorized access.
If the security breach at Google is as broad and comprehensive as reported, a subscriber to Google Health is not as in control of his or her PHI as the Google Policy may lead one to believe. While HIPAA and HITECH statutes and regulations would require a “covered entity” or “business associate” to undertake massive damage control and notices of breach to affected individuals, and perhaps even subject the covered entity or business associate to heavy penalties, presumably the Google Health repository is not so regulated. The potential damage to subscribers is catastrophic and perhaps should be the subject of investigation for potential regulation.