My first data breach went like this: In the early 2000s, a young accountant was flying back to the home office after working several days onsite at a year-end audit. She had brought along two compact discs, one loaded with detailed employee information and the other loaded with her favorite songs. Thinking it was her tunes, she put the CD with the employee data in the seat pocket in front of her. She forgot about it until she was out of the terminal. She rushed back in, worked with the airline to try to track down the CD, but the cleaning crew was too efficient. It was gone.
The chances are the disc was in a landfill buried in a stack of old newspapers by the time the auditors told me about it, but we (the employer being audited) couldn’t take a chance that the data wasn’t in the hands of an identity thief. A pretty emotional process of disclosure to the board, our employees and ultimately the public followed. If we had any decent reason to believe that the information couldn’t have gotten into the wrong hands, we could have taken a more discrete approach.
If one of the cleaning crew had seen the disc and said, ”Hey, this isn’t obviously trash. Let’s put it in a safe place and have the airline contact the person who sat here,” a lot of angst and agita would have been avoided.
I thought about that breach the other day when I was reading an ethics opinion from my state bar association. The opinion dealt with the question of “metadata” in an electronic word processing file. Lawyers routinely email document files to outside parties to get deals done and resolve disputes. Aside from the words on the page, this type of file automatically embeds data about the document and its creator. It can include tracked changes and internal commenting and thus can expose confidential client data.
The ethics opinion dealt with the obligations of the sender and the receiver of the unintentionally disclosed client confidences. As the State Bar of Texas sees it, the recipient doesn’t have many obligations when he or she finds unintentionally disclosed confidential data. The Texas Disciplinary Rules “do not prohibit a lawyer from searching for, extracting, or using metadata and do not require a lawyer to notify any person concerning metadata obtained from a document received.” What kind of cutthroat lawlessness is this?
Other states, such as Florida and Georgia, require that the receiver who becomes aware of the information promptly notify the sender of the inadvertent disclosure. They call the rule “Respect for Rights of Third Persons.”
As the title of the rule suggests, there is a basic moral issue when we find someone else’s sensitive information. We sense that we should let the person know and return or destroy the information. We don’t know why it was left there, but we know it’s not ours.
Protected Health Information is usually highly specific. If I find it, I can probably find the person described. What if I was encouraged to let the person know I had the information? Most people want to do the right thing. What if that were encouraged?
Under the HIPAA rules, when protected health data “escapes,” a breach is presumed “unless there is a low probability that the … information has been compromised” based on a guided assessment. Someone saying, “Hey, I found this” would help in this assessment. At a minimum, it would show how far the information had moved from where it was lost.
In absence of any information, the covered entity has to assume the worst and follow the steps required under the Breach Notification Rule.
If you find someone’s health information, let them know. It will be a good deed. It may, in some sense, be risky, but that adds to the value of the act.