A company named SLC Security, LLC (“SLC”), recently announced that it will begin notifying individuals if it believes it has identified a security breach or vulnerability of a company and it has not received a satisfactory response from the company to which it reported the issue.
On SLC’s blog, it claims it is providing “awareness to individuals and organizations that are leaking information and the information of their customers.” SLC also claims it lists entities on its site who have been “verified to be leaking personal information” and that it “will include information [on the site] on what type of information is being leaked.” On October 16, 2014, SLC announced in a posting that:
HIPAA Has No Teeth – Here’s what we are going to start doing
Starting today we will start mailing out notifications directly to the affected person[s] when we don’t get a response from the organization we report. It’s not fair that companies can choose to ignore issues that they know exist and it’s really not fair that they take the stance that if they are not aware of the issue that they can just ignore it while consumers are sitting by hoping nothing happens to their identities or their bank accounts…
Although the title of SLC’s posting indicates that it is concerned with healthcare organizations, the posting also states that SLC is allegedly concerned about individuals’ “identities or their bank accounts.” This claim may mean that SLC’s notifications could include clients or consumers of organizations other than those in the healthcare industry.
It is worth noting that on May 7, 2014, the Office of Civil Rights, Department of Health and Human Services (“HHS”), reached an agreement with New York Presbyterian Hospital (“NYP”) and Columbia University (“CU”) after NYP and CU jointly reported a breach of electronic personal health information (“ePHI”). The breach was discovered when the entities received a complaint from an individual who found the ePHI of the individual’s deceased partner, a former NYP patient, on the Internet.