This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. On January 19, 2011, a blog posting was made regarding two large PHI security breaches at The University of Rochester Medical Center (“URMC” or the “medical center”) in 2010 (the “2010 Breaches”). The posting reported that a review of the URMC website revealed no reference to either of the 2010 Breaches.
Shortly thereafter, I received the following comment from an anonymous “Dissent”:
The September 2010 breach is on their [University of Rochester (“UR”)] website.
You wouldn’t find it by searching the URMC site itself, though. I only found it by running the search on the main UR site.
The 2009 hack affecting 450 [individuals] wasn’t the medical center or PHI.
There was another 2009 incident that did involve the medical center, though, reported to the NYS CPB [New York State Consumer Protection Board]. It involved “insider wrongdoing,” but I do not know if PHI or patient data was involved or if [it] was employee data. The incident was never in the media and I never requested the report from NYS under FOI [Freedom of Information].
And yes, I think all entities should have links to disclosures prominently displayed or easy to find.
I sincerely appreciate the knowledgeable information and clarification provided by Dissent. It is perplexing and somewhat illogical that the September 2010 Breach would be listed only on the UR website and not the separate comprehensive and extensive website of URMC, the institution at which the 2010 Breaches occurred. There is not even a cross-reference or link on the URMC site to the UR posting respecting the 2010 Breaches.
Moreover, even with respect to the UR website, the posting respecting the September 2010 Breach should proactively inform affected individuals and the general public. The posting should not be so difficult to locate that only those who are specifically searching for the 2010 Breach with prior knowledge are likely to find it. Finally, query: why is the April 2010 Breach apparently not listed on either the UR or the URMC website?
As stated in my earlier blog entry, the posting of both of the 2010 Breaches on the URMC website in a reasonably prominent manner would have demonstrated that URMC has a commitment to act responsibly and do more than what is (to borrow a phrase from HITECH in a different context) “the minimum necessary” for communicating large PHI security breaches. This would accelerate the rehabilitation of confidence and relations with patients and the Medical Center’s larger constituency.