There are two issues that Sony and Obamacare share: What real accountability is there to INDIVIDUALS whose data is unwillingly breached? And, what real remedies are available to individuals whose data is breached?
First, the willingly word is a tough one. As I’ve discussed before, “CONSENT” is one of those weird words where it’s found even where there’s apparently little choice available to the person providing such consent.
In insurance we know that to obtain coverage we must provide insurance companies with any information they demand which has even extended to the notes of mental health professionals in order to get our claims processed, otherwise, we will not have our claims covered.
In the employment field we know that we give “consent” to background checks, provide our social security numbers, and agree to company email policies that open us up to all sorts of scrutiny as a condition of our employment.
The first issue then is the idea of CONSENT and how we’re deemed to have given consent by participating in a particular system whether it’s in a healthcare environment or a workplace environment and therefore we have accepted the RISK of having our data breached.
Secondly, there has been little to no remedy available to citizens whose data is negligently and/or deliberately exposed by either the government or a company. While everyone loves saying, “HIPAA,” under HIPAA there is NO availability of damages to individuals, only fines ranging from the laughable in the case of breaches found non-intentional where patient information is breached to more serious penalties imposed where data breaches are found intentional (rarely occurs) by an entity.
That’s right, no damages for individuals under HIPAA. All fines and monies paid go to the Federal government. So, an individual whose data is breached gets the “satisfaction” of knowing that the Federal government has taken money on behalf of citizens whose personal data is breached.
In the case of SONY, the allegations are also about negligence. Though proving negligence isn’t often difficult, typically proving DAMAGES has been difficult. Without proving DAMAGES, individuals are usually left without the availability of money damages for the breach of data and are often merely offered “free credit monitoring” to make sure no one wrongfully tries to set up bank accounts or credit cards using their name. (SONY has actually done this already).
As an aside, it should be noted that if SONY employees received the threatening letter allegedly from the hackers that they might have additional recourse as potential victims of extortion, harassment and endangerment by SONY (read about the threatening letter in the LA TIMES, 12/16/2014, Saba Hamedy, Meg James, “Sony hit with lawsuit by former employees over email leaks.”
Because of the inadequacy of consumer remedies when our privacy is breached without the showing of damages, we’ve got the run of the media interviewing people who “encourage” everyone to ignore the emails and avoid gossip. I can’t agree because I believe SONY can be of tremendous value BECAUSE it has to do with individuals who unlike us are not considered “little people,” who have lived without the ability to effectively stop the publication of private information wrongfully, negligently, grossly negligently or any other way and who have been most often left without any recourse in the form of the availability of damages because damages directly resulting from such breaches are difficult to prove.
And so we get back to yesterday’s (12/16/2014) post about the intention of the Federal government to share your electronic health records with 35 Federal agencies under the Federal Health IT Strategic Plan 2015-2020, 35 Agencies with Your Medical Info? Comment to the Government , conoutofconsumer.
You can look up the plan at healthit.gov, and find that under “Objective 2C: Protect the privacy and security of health information,” we are promised by the government, “The privacy and security of protected health information is a top priority of the federal government, and the government will continue to pursue efforts that ensure confidence and trust for individuals and their families, caregivers, providers, and others.”
Sorry, not good enough. Patient privacy has NOT been protected as promised with EHRs. As Kaiser Health News reported in February of 2014, “…medical-related identity theft accounted for 43 percent of all identity thefts reported in the United States in 2013,” by Michael Olive, 2/7/2014, “The Rise of Medical Identity Theft in Healthcare.”
Sharing of our medical information with 35 agencies and departments will only increase this risk because the government has not proven itself capable of avoiding hacking of US citizen information to a level that would justify the overly broad purposes of collecting, sharing and using patient information from EHRs.
As THE WASHINGTON TIMES REPORTED on 11/23/2014, “Even though there have been at least two dozen mass breaches of government computer systems since 2013, many federal agencies continue to have a lax culture and poor security provisions,” http://www.washingtontimes.com/news/2014/nov/23/cybersecurity-lapses-leave-us-government-agencies-/#ixzz3M4GLc2Kk.
While the breach of SONY executive emails is embarrassing for them, the executives I believe are taking the wrong approach. Instead of trying to save their own skins by whining to the media that it shouldn’t indulge in gossip, which is absurd, they could take the opportunity and the public spotlight to highlight the risks we all face in a world that provides little recourse to individuals whose private information is revealed and use their stature to positively influence this condition for their fellow Americans.
