Mandatory reporting has had a positive impact on the reported number of medical data breaches. First published this year, the Department of Health and Human Services (HHS) Breach List has identified 214 breaches to-date. Unfortunately, the HHS database provides insufficient information for the public to know what types of records were placed at risk. The HHS breach report does not detail whether names, x-rays or Social Security Numbers (SSN) were included in the exposed data. The public has no way of knowing just how minor or serious the data exposure was for any given incident. Media has helped by reporting more details for some breach events.
In addition, state mandated reporting of all breaches - by several state Attorneys Generals - increased public reporting, but only applies if an individual in that state might be affected. In 2010, New Hampshire listed 96 breaches and Maryland reported 160. Wisconsin and Vermont have small lists of reported breach events.
Approximately 200 breaches, 29% of the 662 total reported by the ITRC, were credited to information provided by these "mandatory reporting" states. This is a clear argument for mandatory reporting to achieve transparency for the public.
Highlights of the ITRC Breach List analysis include:
- Paper breaches account for nearly 20% (1/5th) of known breaches and typically go unnoticed until a consumer reports the problem to local media. There is generally no mandatory reporting requirement for paper breaches.
- Malicious attacks still account for more breaches than human error, with hacking at 17.1% and insider theft at 15.4%.
- 38.5% (255) of listed breaches did not identify the manner in which the information was exposed. This indicates a clear lack of transparency and full reporting to the public.
- 51% of publicly reported breaches indicated the number of records exposed, totaling 16.1 million records. Note: records can mean credit cards, bank accounts or other information. It is not representative of the number of people involved.
- However, nearly half of all breaches (49%) did not list number of potentially exposed records. This ingrained inaccuracy in reporting is another argument for mandatory reporting.
- 412 breaches (62%) reported exposure of Social Security Numbers, representing 76% of known records.
- 170 breaches (26%) involved credit or debit cards, representing about 29% of known records.
The nation needs a centralized, publicly available, data breach reporting site. It should be comprehensive enough to allow readers to find out what happened, what information was compromised, and why the breach happened. This would also allow law enforcement to better address this type of crime.
Consumers, government and the business community need to stop acting like ostriches with their heads in the sand. Second, the concept of "risk of harm" is not acceptable for determining notification. This is true especially if the company involved is allowed to define "risk of harm." Only a federal IT forensic specialist should have that authority. Breached information has been used months after the original exposure.
Are breached entities going to like the future? ITRC hopes they will embrace the change as productive and valuable. Mandatory reporting is on the horizon. It will be demanded either by consumer lobbying or legislation.
For the reports and statistics visit www.idtheftcenter.org.