Health Breach Notification Tracking (Report 2.2)
It's been 1,232 days and still no health breach notifications from 22 companies blatantly violating people's health privacy rights.
We're continuing to shine a light on privacy issues related to online addiction treatment and recovery support by updating our health breach notification tracking.
Our goal is to understand whether the companies are fulfilling their legal requirement to self-disclose their health breaches to HHS OCR, the FTC, the affected individuals, and the media. This tracking is necessary to determine the effectiveness of "self-regulation" in this space and compliance with the health breach notification law.
Topline: It's still not working.
We are now outside the 60-day mandatory health breach notifications timeframe for all the companies we study.
This includes a company that experienced a highly publicized data breach with 5.3 terabytes of sensitive health information (including ~126k files with recordings of addiction treatment appointments, health insurance information, drug screens, etc.) openly available online and accessible without any login credentials (69 days ago).
This is after class action lawsuits against some of the companies that engaged in this illegal data tracking.
This is after letters from US Senators inquiring about data tracking practices and their lack of compliance with existing privacy laws.
Still, no one we track has made the necessary health breach notifications after their well-documented and well-known data privacy issues.
In this light, it is hard to see how "self-regulation" is "working."
No, cookie banners and "click here to see privacy practices" do not qualify as informed consent.
Let's see how the companies did!
