Why We Need Better Breach Disclosure Laws
I was reading my Twitter feed today and saw a Tweet announcing a major medical data breach in Pennsylvania.
The breach was caused by a lost flash drive that included names, addresses, and health information of 280,000 people insured by Keystone Mercy Health Plan and AmeriHealth Mercy Health Plans, both based in Philadelphia. According to an article in Compliance in the Cloud:
The breach, which involves the records of Medicaid recipients, is the first such Medicaid data breach in Pennsylvania since at least 1997, according to the state's Department of Welfare, which has oversight.
The breach, one of the largest of the year, is bad enough. That it wasn't disclosed to affected members until the Philadelphia Inquirer began to investigate is disturbing. This follows on the heels of a breach in New York state that happened in July but it appears news of it may not have been released until September (hopefully the potential victims were notified earlier).
The Pennsylvania law is vague about the time frame that can pass before affected parties should be notified -- it shouldn't be an unreasonable amount of time. However, the Inquirer reported: