[ Thursday, July 05, 2007 ]
to paraphrase the Government Accountability Office's new report
, data breaches happen fairly often, but cases of identity theft coming out of those breaches are pretty rare; at least as far as we can tell. That seems right -- there are plenty of data breaches that aren't caused by someone trying to get data, but rather by someone failing to fully protect the data; in those instances, it's unlikely that anyone would improperly access or receive the data, and if they did, they would be unlikely to use it for nefarious purposes. An even in instances of "active" data interception, there are probably plenty of such cases where the party accessing the information isn't trying to engage in identity theft (or isn't able to do so for some reason -- perhaps the data isn't enough, or the hacker lacks the skills), but is just a cybervandal. I think you can extrapolate that cases where the data is healthcare information are even less harmful; first of all, the data usually doesn't have any commercial value to the data thief, so it's even less likely to be targeted; and if it's accessed, it's less likely to be used. Still, no reason not to stay vigilant and make sure you comply with your requirements under HIPAA (not to mention general ethical and business reasons), but also some comfort in case there is a breach.
Jeff [12:35 PM]
Blogger: HIPAA Blog - Edit your Template