- Proper health data breach notification is a critical aspect of HIPAA that healthcare organizations must adhere to. Along with federal laws, there are often state and local data breach notification requirements that must also be followed.
Without prompt data breach notification, individuals may not even be aware that their personal information was compromised and that they should potentially be monitoring their credit or bank accounts.
The recent OPM data breach has brought some of these issues to light, as OPM employees and contractors who were affected by the incident reportedly have yet to receive official notice. Earlier this week, OPM said it would start informing victims "later this month." All individuals should be reached within several weeks.
“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future,” Acting Director of the Office of Personnel Management Beth Cobert said in a statement. “Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”
The OPM statement added that it had awarded a $133,263,550 contract to Identity Theft Guard Solutions LLC for identity protection services for individuals affected by the breach. Individuals will receive credit monitoring, identity monitoring, identity theft insurance, and identity restoration services for three years.
“At this time, there is no information to suggest misuse of the information that was stolen from OPM's systems,” OPM explained on its website. “We are continuing to investigate and monitor the situation. We will begin to notify people affected by the background investigation incident in the coming weeks.”
OPM first announced that it had been the victim of a cyber attack on June 4. However, approximately one month later OPM reported that a significantly greater number of individuals were affected by a “separate but related” cyber security breach. The latter affected 21.5 million individuals, and some of the compromised information included identification details such as Social Security Numbers, residency and educational history, employment history, information about immediate family and other personal acquaintances, health, criminal and financial history.”
Health information was only a small part of the OPM data breach, but there are several key takeaways for healthcare organizations. A strong data breach notification process should be part of a covered entity’s larger health data security plan. Moreover, being aware of any state laws will also be important to ensure that the notification process runs smoothly.
For example, there is a proposed data breach notification law that would allow states to keep their own notification laws if they have more strict policies already in place. The Consumer Privacy Protection Act was introduced on April 30 and states that companies will need to inform federal law enforcement of all large breaches, as well as breaches that involved federal government databases or law enforcement or national security personnel.
“We must ensure consumers have strong protections on the federal level, but in so doing, we must make sure Congress doesn’t weaken state protections that consumers rely on to keep their information safe,” explained Connecticut Senator Richard Blumenthal, who is one of the bill’s sponsors. “Importantly, this measure strikes the right balance between state rights and strong federal enforcement and extends consumer privacy protections into a new digital era.”