[ Thursday, March 17, 2011 ]
Here is HealthNet's press release
. There may be less there than first meets the eye. It seems that several server drives have gone missing. IBM is HealthNet's business associate, and could end up being the responsible party. And it's not clear if the drives are lost, stolen, misplaced, or something else. If they're misplaced or lost, they could show up later. If they were stolen, the data was probably scrubbed off of them. It doesn't necessarily look like the data has been taken, disclosed*, or used.
Of course, and especially given its own history, HealthNet should have vigorous "encryption in place" protocols for its data, but apparently doesn't. They surely had a chance to prevent at least the notification requirement. That's not good.
*As for "disclosed," in my opinion there must be a recipient for the data to have been "disclosed." It may have been "exposed," but if nobody sees it, I think it isn't "disclosed." If a tree falls in the forest and nobody is around to hear it, . . .
Jeff [9:58 AM]
Blogger: HIPAA Blog - Edit your Template