The sky is not falling – yet. But if a recent development in Massachusetts is a harbinger of things to come, anyone involved in risk, compliance, or information security may need to prepare for some major overhauls to our risk assessments.
According to an article in National Law Review, a recent case in Massachusetts Superior Court is concerning. The plaintiff brought a lawsuit against Boston Medical Center following the accidental exposure of patient data through a vendor web portal. The author specifically notes that although, “Plaintiffs do not allege that any unauthorized persons actually viewed, accessed or misused their private information.” the case was allowed to move forward based on the “real and immediate risk” of damages that may result from the disclosure of information.
So far, this is one case in Massachusetts, and in most jurisdictions courts will only allow a lawsuit if there is evidence of actual damages (identity theft, for example). But if other courts begin to look at this case as precedent, the costs to remediate any breach or accidental disclosure could become significantly more than any institution can afford. In addition, the insurance industry will likely respond with more stringent requirements for cyber liability insurance and premiums will likewise go up. All of this leads back to the reliance on sound risk management beginning with the initial assessment.
It will also require hospital vendors (those business associates referred to in the HITECH Act of 2009) to redouble their efforts to identify and remediate risks before they too are front page news.