A New England hospital has reported the disappearance of backup tapes containing ultrasound images and personal data of 14,000 patients. How do you handle a data loss when you don’t have any way of determining where the data went or who may have seen it? Is it a “breach” in the technical sense?
These questions call to mind former Secretary of State Donald Rumsfeld’s famous observation about assessing knowledge gaps:
“There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know.”
And a less-famous Rumsfeld quote from the same press briefing, “The absence of evidence is not evidence of absence, or vice versa” may also be applicable.
What is known, according to the press release issued by Women and Infants hospital, is that on September 13, 2012, the institution learned that unencrypted backup tapes containing ultrasound images went missing from two ambulatory sites in Providence, Rhode Island and New Bedford, Massachusetts. The backup tapes contained ultrasound images and included patient names, dates of birth, dates of exams, physicians’ names, patient ultrasound images, and, in some instances, Social Security numbers.
The hospital has concluded that they have no reason to believe that the information has been accessed or used improperly, because doing so would require specialized equipment and technical expertise. The fact pattern and analysis recalls the 2011 breaches involving SAIC/Tricare and Nemours discussed on this blog in October 2011 by my partner Elizabeth Litten. As she noted,
When is the mere “ability” to read PHI, without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Will covered entities provide notice out of an abundance of caution to report every unlocked or unencrypted data file, possibly flooding the HHS website that lists large PHI breaches (the “HHS List”) with potential breaches that have minimal or no likelihood of access and unduly alarming notified individuals? Could such reporting have the unintended effect of diluting the impact of reports involving actual theft and snooping?
At this time, Women & Infants has notified affected patients and established a hotline but is not yet offering credit monitoring or identity theft protection. Further, there is no indication of a report having been filed with HHS, but once again “absence of evidence is not evidence of absence.”
Applying the Rumsfeld test, I believe Women & Infants is facing both “known unknowns” and “unknown unknowns.” They know that they don’t and cannot be certain whether the data has been accessed, but if it has been, they cannot know the extent of the potential damage to the affected individuals. The long-overdue “mega-regulation,” which may finally see the light of day now that the election is over, may provide some useful guidance.
In the meantime, enjoy some of former Secretary Rumsfeld's greatest hits.