Delta Dental, The Smile Center, and an expert witness are at the center of one of the most convoluted medical data breach stories that I’ve read in a while. The article at myfoxtwincities.com leaves me with more questions than answers. One thing that’s not a point of contention: data encryption software was not used to secure patient information.
When Expert Witness Causes Breach, Who’s Responsible?
According to the myfoxtwincities.com story, a disk that contained names, dates of birth, and Social Security numbers was lost when a laptop got stolen from an office at the University of Minnesota four months ago. The laptop belonged to an expert witness brought in to testify in a multi-million dollar lawsuit between the two companies.
Affected patients — it was not reported how many were affected — are only being notified now.
One detail that was revealed: only those who were insured by Delta Dental and visited the St. Paul location of The Smile Center between January 1, 2003 and June 30, 2010 are affected.
(By the way, hiding the number of people affected is asinine. Someone’s eventually going to have to report the incident to the HHS, which will go public with the details if the number of people affected is over 500. With over 7 years’ worth of data, I’d guess that the cap has been exceeded. Myfoxtwincities.com says “thousands” could be affected.)
The story was made public because Delta Dental, Minnesota’s largest dental insurer, started mailing clients about the data breach. However, there is a question on who’s responsible.
Obviously, the expert witness — a third party — should be faulted. Not that he wanted to be at the center of things, but it was his laptop (with disk in the tray) that got stolen. However, legally speaking, I’m pretty sure it’s the owner of the data that’s held responsible for the breach. (It’s assumed under the law that the owner of the data will privately, separately deal with the third party.)
Owner of the Data Responsible: Got It. Who is it, Again?
This is where it gets convoluted.
Under HIPAA / HITECH, it’s the owner of the data that is supposed to notify clients of the data breach. Delta Dental is the one who started alerting affected clients, so the implication is that they are the owners of the data, and hence they’ll be held accountable for the third party breach. But, hold on:
Delta Dental said it has taken steps to protect its clients from identity theft; however, when the computer disappeared, the state’s largest dental insurer said The Smile Center never told its patients their medical records had been compromised. [myfoxtwincities.com, my emphasis ]
This implies that it was The Smile Center’s data that got compromised, meaning they’re the data owners. If I’m inferring correctly, Delta only got involved when they decided they couldn’t wait for Smile to do something about it.
Or maybe, it means that there was both data from Delta and Smile, but only Delta decided to do something about the issue? Or maybe, the information was provided to the expert witness by Delta, but for some reason it thinks Smile is in charge of notifying patients?
I guess the real question is: who gave the expert witness that disk? And why didn’t they have the foresight to use encryption software to protect its contents?
Notifying Patients in a Timely Fashion
Dissent at databreaches.net has noted:
Not only did The Smile Center reportedly not inform their patients of the breach, but it seems that neither Delta Dental nor The Smile Center are taking full responsibility for the breach because the data were in the possession of a third party – an expert witness in the lawsuit….This might be an appropriate incident to issue a fine for not notifying patients in a timely fashion.
I’d agree, except for one technicality: under the rules, a grace period of 60 calendar days is given for notifying people whose PHI (Protected Health Information) is breached. However, those 60 days start with the discovery of the breach.
We know the theft of the laptop, the trigger for the breach, occurred 4 months ago. But, when was the owner of the data notified of the breach? If the expert witness hadn’t voluntarily commented on the issue, the earliest that the owner of the data should have known about the breach is when the trial was over and asked the expert to return the disk or destroy it. The lawsuit was settled in April so, under these assumptions, neither company is in breach of the PHI Breach Notification Rule.
Like I said at the beginning, this is one convoluted incident. It also shows the limitations of the current rules regarding patient data security and notifications when things get really messy.