Since the breach notification requirements applicable to entities covered by HIPAA went into effect almost two years ago, we have seen numerous reports of large health information breaches. These reports identify the entities involved in the breach, the number of patient records breached, and the type of data believed to be potentially at risk. But rarely do those reports go into much detail on the impact (both financial and psychological) of the breach on either the patients whose data was part of the breach, or the provider entities experiencing the breach.
My friend Micky Tripathi, the President and CEO of the Massachusetts eHealth Collaborative, has written a blog post on a recent breach experienced by his company that provides a very complete and thoughtful account of the incident and how they handled it.
Overall, I was very impressed (and heartened) by the degree of care and concern in the Massachusetts eHealth Collaborative’s response to this incident – but two other thoughts came to mind: