Privacy Advisor

NSA and Legislative Breach Implications, New Breach Announcements: A Roundup

June 12, 2013

By Jennifer L. Saunders, CIPP/US

From the loss of patient data to the impact of the recent NSA/PRISM revelations on psychiatric patients to the 2013 Cost of Data Breach Study, breaches and their implications are making headlines across the globe.

Symantec’s Cost of a Data Breach Study, conducted by the Ponemon Institute, indicates the average cost of a data breach has gone up from $130 per record in 2011 to $136 per record, globally. The cost-per-record is higher in the U.S., at $188 per record, but that is down from 2011, when the average cost was $184.

BankInfoSecurity reports on an interview with the Ponemon Institute’s Larry Ponemon, CIPP/US, and Symantec's Robert Hamilton on reasons for the decline in U.S. costs, including “U.S. enterprises having stronger security postures and incident response plans as well as more routinely employing chief information security officers, an idea not universally employed abroad.”

The report notes the pair also suggests additional regulations lead to higher breach costs initially, quoting Ponemon as saying, "Regulations always cost companies in the early stage because they have to change significantly their business process.”

In other breach news, Sutter Health has notified more than 4,500 patients in California that their personal data have been compromised after “narcotics investigators found personal patient information during a methamphetamine bust in Oakland,” and HealthITSecurity reports on three separate instances of patient mailing errors by CareFirst and a robbery at Health Resources of Arkansas that may have compromised 1,911 patient records.

Meanwhile, Baker & Hostetler’s Rand L. McClellan provides an analysis of Clapper v. Amnesty International USA, in which the U.S. Supreme Court found “individuals claiming injury from the federal government’s right to conduct electronic surveillance under the Foreign Intelligence Surveillance Act (FISA), 50 U.S.C. § 1881a, lacked standing to pursue their claims.”

McClellan suggests the court’s statements “should prove useful for data breach defendants trying to defeat claims based on a plaintiff’s lack of standing. While Clapper does not necessarily foreshadow the court’s position on standing in data breach litigation, the decision is useful for defendants in the data breach context.”

And lastly, a PHIprivacy op-ed entitled “The Verizon order, the NSA and what call records might reveal about psychiatric patients,” suggests, “Metadata might tell us even more than most privacy advocates realize.”

From a healthcare breach perspective, the op-ed cautions, “I started thinking about what those records and metadata could reveal.  Because my phone is used mainly for calls to and from patients and clients, can the NSA figure out who my patients are? And could they, with just a query or bit of analysis, figure out when my patients were going into crisis or periods of symptom worsening? I suspect that they can. And because I am nationally and internationally known as an expert on a particular disorder, could the government also deduce the diagnosis or diagnoses of my patients or their family members? Probably…As a healthcare professional and HIPAA-covered entity, I try hard to protect my patients’ privacy and confidentiality. I am dismayed to learn that the government has in its huge databases data that could compromise both.”

Read more by Jen Saunders:
GPEN Concludes Its First Internet Privacy Sweep