I had commented on the “Delta Dental – The Smile Center” breach story yesterday (the one where a disk with personal data was not protected with data encryption like AlertBoot) that it was hard to tell who the party responsible for the lost data happens to be. The party responsible as the data owner, that is (I think everyone’s in agreement that it was the expert witness who actually caused the breach).
Well, it turns out that Delta Dental is the owner of the data:
As part of the lawsuit, Delta Dental was required to provide the disk containing patient data to the Smile Center, their law firm, and their expert witness. It was this disk that was stolen in February from the expert witness’s office at the University of Minnesota. [drbicuspid.com, my emphasis]
Now it makes sense why Delta Dental started notifying clients. And, the quote I used yesterday makes even more sense:
Delta Dental said it has taken steps to protect its clients from identity theft; however, when the computer disappeared, the state’s largest dental insurer said The Smile Center never told its patients their medical records had been compromised. [myfoxtwincities.com, my emphasis ]
Of course, the “its” in “never told its patients” refers to Delta Dental, not The Smile Center. I was wondering why Delta Dental was sending notification letters on behalf of The Smile Center. At the same time, now I have to wonder why Delta thought Smile would be notifying Delta’s clients.
Tough Deal for Delta Dental
HIPAA / HITECH makes it very clear that it’s the owner of the data that does all the notifying, and that they’re responsible for the breach. It’s assumed that the breached covered-entity will deal with third parties (i.e., the BA, “business associate”) separately. The argument is, the breached entity, in this case Delta, will stop doing business with the BA, or pressure him to up his security, etc. It’s the trickle down theory of security.
Except, of course, the BA in this case — the expert witness — technically worked for The Smile Center.
Delta Dental turned over the disc under the terms of a protective order entered by the court in the lawsuit. The Smile Center dental clinics, their law firm, and their expert witness were required by the court order to protect the disc and the data. At the time of the theft, the disc was in the custody and control of the expert witness for The Smile Center dental clinics at his University of Minnesota office. [deltadentalmn.org, my emphasis]
And, I guess that will give Delta the ammunition necessary to go after The Smile Center et al. However, I don’t think this gives them the ammo to say, “hey, under HIPAA / HITECH, we’re not responsible.” Whose data was it? Well, Delta handed it over, so it must be Delta’s data. The buck stops with Delta, as far as I understand HIPAA / HITECH.
(I’m not a lawyer or legal scholar, by the way. This is not legal advice, blah, blah).
It’s a terrible deal for Delta Dental. They were forced to turn over the data. They have absolutely no hold over the expert witness, since he’s working for the other side. And yet they’re “stuck with the bill”: They have to notify the affected patients, they have to offer the credit monitoring, they have to take the PR hit. It’s terrible. I’m pretty it wasn’t supposed to work this way.
On the other hand, they could have give out the information in encrypted form. Had they used encryption software to protect their clients’ data, it wouldn’t have turned out the way it did.
Of course, then again, there is the chance that someone could have stuck the password to the laptop (ah, Post-It Notes, the bane of security professionals). But, some experts have noted that HIPAA / HITECH has no provisions on what happens under such circumstances, and have claimed that as long as the PHI is encrypted, you’re set, passwords be damned. Whether this argument will actually fly with OCR and HHS is another story entirely. (The point is to keep PHI protected, not to just install encryption and forget about it).
Related Articles and Sites: