Lots of health data breaches reported to HHS, only trivial ones to FTC

With just over a year having passed since the health data breach notification rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect, and interesting contrast has emerged between the breaches disclosed to the Department of Health and Human Services (HHS) by HIPAA-covered entities and business associates and those disclosed to the Federal Trade Commission (FTC) by organizations that provide personal health records (PHRs) and associated services, but are not covered by HIPAA. As reported on Monday and evidenced by the complete listing of breaches posted by the FTC, as far as the FTC is aware there have been no major breaches (those involving 500 or more individuals) in the past year. All 13 of the breaches reported to the FTC involved lost or stolen credentials, which presumably could result in an unauthorized party gaining access to a user’s personal health information, but no actual loss of data seems to have been involved. It may or may not be interesting to note that all the breaches reported also came from one company:  Microsoft. In contrast, the current count of breaches reported to HHS is 181, all of which involve 500 or more individuals, many of which apparently involve loss or theft of data (or laptops or other paper or electronic record storage devices).

It seems fair to ask, can any substantial conclusions be drawn from the paucity of breaches reported to the FTC or their relative triviality? No one appears to be suggesting that the data protection practices of organizations subject to the FTC’s data breach rule are superior to those of those covered under HHS’ rules, so why so few breaches reported to the FTC? Several possible explanations come to mind, only some of which have anything to do with security or privacy practices:

• The population of organizations subject to the rule is small. The FTC’s Health Breach Notification Rule, following language in the HITECH Act (§13407), applies specifically to “vendors of personal health records” and third-party service provides who are not covered by HIPAA. The total number of these vendors is very small relative to the number of covered entities and business associates subject instead to HHS’ rules.
• Breaches of encrypted data do not have to be reported. Following HITECH (§13402), Both the HHS and FTC data breach notification rules apply to breaches of unsecured data, meaning data that has not been “rendered unusable, unreadable, or indecipherable” through the use of recommended technologies such as data encryption. It is possible that some PHR vendors who might have suffered relevant incidents had no cause for concern, and no reason to disclose them, because the data in question was encrypted.
• Not many people use PHRs from non-HIPAA-covered vendors. This is not meant to imply that vendors like Dossia, Google, and Microsoft have so few users of their PHRs that there wouldn’t potentially rise to the level of a major breach if a data loss occurred, but instead to suggest that there may be more attractive targets for malicious attackers to go after among health care organizations.
• Technology company employees (may) have better security awareness. Surely a suggestion open to challenge, but with the frequency with which health data breaches occur do to intentional or inadvertent misuse by employees (that is, authorized users), PHR vendors whose business depends to a great extent on their ability to secure customer’s data might logically make security and privacy awareness a higher priority among the employees who have access to the data. Also, it shouldn’t be overlooked that, unlike employees of health care organizations, PHR vendor employees have little or no reason to access personal health information stored in their systems.
• Organizations subject to the rules are not reporting their breaches. It is also possible, as with any other mandatory reporting requirement that lacks proactive enforcement, that some of the PHR providers or other entities subject to the FTC’s rules have experienced breaches but chose not to report them. The inclusion in the HHS breach disclosure rules of a “harm” exception, under which entities can avoid the requirement to provide notification about breaches if they determine that no harm will occur to the individuals whose data was disclosed. The FTC opted not to provide such an exception due to the special sensitivity of health information, so PHR vendors can not use this as an excuse not to report. They may, however, perform their own internal risk calculation and decide that they would rather not disclose and risk sanctions if their failure to disclose is discovered.