I will be presenting these situations, questions, and observations as a series here on PrivacyWonk. I invite your feedback through the comments section or by e-mail. Please add to the discussion!
A distraught individual, who has experienced the proverbial run-around with a government agency, begins posting messages to an agency's facebook page containing very sensitive information in the hopes of reaching someone who will help. The information includes a name (as detailed by facebook user account), a case number, and a description of a medical condition.
Background: The government agency elected to begin using social networking sites to increase public interaction with the agency. It has chosen to use facebook, allows public viewing of the page, and allows search engines to index the page. The agency has developed a social media policy that states all comments will be published but may be moderated after the fact if they contain improper language, are off topic, or contain personal information. Due to resource limitations, the agency has elected to only review the site once a week.
Impact: The individual has compromised their own information. The government run facebook page is now displaying Personally Identifiable Information (PII) and Protected Health Information (PHI) to the world, further compromising the information every time a new visitor lands on the page.
- While there is no question who is at fault for the original compromise, does the government agency share responsibility for allowing further compromise of the information?
- Does the agency have a legal responsibility to report it as a breach*?
- Does the agency have a moral/ethical responsibility to report it as a breach?
- Would tracking situations of public/government interaction via social media sites that result in a compromise of PII be useful for making decisions on directing training, notification, and design of social media presence? If so, would they result in a more restrictive approach or simply a better design?
(1) OMB Memorandum (M) 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information defines a breach as (verbatim copy): "For the purposes of this policy, the term "breach" is used to include the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic."
(2) HIPAA HITECH's defines a breach as (verbatim copy):
"SEC. 13400. DEFINITIONS. In this subtitle, except as specified otherwise:
(A) IN GENERAL."The term "breach" means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
(B) EXCEPTIONS."The term "breach" does not include"
(i) any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if"
(I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and
(II) such information is not further acquired, accessed, used, or disclosed by any person; or
(ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and
(iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person."