Notifying patients about a healthcare information breach requires a "difficult balancing act" by entities to ensure that risks are not exaggerated, says attorney Robert Belfort, an expert in HIPAA compliance, fraud and abuse.
A breach is a disaster, says business continuity specialist Ken Schroeder. So organizing an effective breach-response team does not require a reinvention of the wheel. What it does require is a holistic approach.
Save Mart, the Modesto, Calif.-based grocery chain, now confirms that skimming devices are to blame for the data breach believed to have exposed hundreds of consumer accounts to debit and credit card fraud.
As legal issues surrounding data breaches become increasingly complex, more organizations are turning to attorneys for post-breach response, says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams.
Healthcare organizations should carefully document all necessary breach investigation and notification actions and responsibilities to avoid chaos when an incident occurs, says Dawn Morgenstern, privacy official at the Walgreens national drugstore chain.
The ongoing delay in the release of final versions of HIPAA modifications and the HIPAA breach notification rule makes it more difficult for healthcare organizations to set information security investment priorities, says hospital privacy officer Kari Myrold.
Virtual Radiologic Professionals, LLC notified individuals about a stolen laptop taken from an employee's car. By corporate policy, the laptop's hard drive was supposed to be encrypted, but something went wrong.
Sutter Health, an integrated delivery system that was in the process of encrypting all its desktop computers, reports that a device that had not yet been encrypted was recently stolen, affecting more than 4.2 million patients.
Servers at Virginia Commonwealth University were recently hacked, potentially exposing Social Security numbers for more than 176,000 faculty, staff, students and affiliates at the university and the VCU Health System.