Skip to content Skip to navigation

Best of the Blogs

December 25, 2007
by root
| Reprints

The following commentaries are the most read postings from HCI's Blogosphere. To read other postings and leave your comments and questions, visit, register with a username and password, and blog away.

Cause and EffectPosted on: 12.4.2007 12:10:03 PM Posted by Reece Hirsch

One of the challenges for a plaintiff bringing a lawsuit based upon a data security breach is causation. For example, if a laptop is stolen containing your personal information and you are a victim of identity theft a week later, can you be certain that the two events are linked? More to the point, will a court allow your claim to proceed based upon that possible (and perhaps likely) connection?

A Nov. 20 ruling by the Ninth Circuit Court of Appeals provides insight into how courts will evaluate causation in data breach cases. In the Ninth Circuit case (Stollenwerk v. TriWest Health Care Alliance Corp., 9th Cir., No. 05-16990, unpublished opinion 11/20/07), three plaintiffs filed a complaint against a healthcare company after personal information on over a half million military retirees was stolen from the company's offices. One of the plaintiffs identified at least six unauthorized attempts to use his personal information within six weeks after the data breach.

The Ninth Circuit reversed a trail court's grant of summary judgment dismissing this plaintiff claim. The court relied upon the fact that the attempted identity theft occurred shortly after the breach, as well as other circumstantial evidence. In particular, the court noted that the data subject to the breach was the same kind of data needed to commit the identity theft that was later attempted. Of course, causation is just one of the challenges facing data security breach claims, but that is a subject for other postings…

HIPAA Security and VendorsPosted on: 12.1.2007 12:42:33 PM Posted by Reece Hirsch

One trend that I'm seeing in my practice representing healthcare information technology companies is an increased focus on applying the HIPAA Security Rule standards to vendors. A HIPAA business associate agreement is only required to contain relatively sketchy representations regarding “reasonable and appropriate” vendor security measures. For application service providers and other vendors that maintain significant quantities of protected health information, some HIPAA covered entities are beginning to seek much more detailed security representations that amount to compliance with the Security Rule. For vendors, this sort of approach can seem burdensome and overly prescriptive. For HIPAA covered entities, the approach is intended to ensure that security protections are not diminished when data is in the hands of vendors. In any event, it is a negotiation that many healthcare technology companies are faced with …

Passing of Art RandallPosted on: 12.1.2007 11:02:01 AM Posted by Vince Ciotti

Sad word this week: the passing of Art Randall, former sales exec at McAuto. Anyone who worked at McDonnell-Douglas couldn't fail but remember Art's great sense of humor, fiercely competitive spirit in the HIS sales world, and indomitable leadership style. In that primarily engineering-oriented aerospace firm, sales was not given as high a priority as it deserved, and Art fought the good fight during his decades there, giving the ex-IBM sales crowd at rival SMS a run for their (your?) money. What I remember most about Art was his incredible diverse talents: he could repair clocks, restore old cars, write articles on ANY subject in minutes, and give speeches that held audiences enthralled. A larger-than-life, Protean charmer, Art will be sorely missed. Condolences to his many friends and family.

A fund is being set up in Art's memory to fight the cancer that took him. Checks should go to “USSVCF”/“The Art Randall Scholarship Fund” and sent to the following address:

USSVIAttn: Art RandallPO Box 3870Silverdale, Washington 98383

Invasion of PrivacyPosted on: 12.3.2007 2:57:12 PM Posted by Jim Feldbaum

If we are looking for a major hurdle to a unified Electronic Health Record we need look no further than our healthy “concern” about the privacy of our personal health information. The paper chart, with its meandering trail from hospital department to department and open access to anyone with the nerve to sneak a peek, was rarely the genesis of national headlines or concerns. The incidents of “invasion” were no doubt numerous, but the nature of the paper chart makes any actual quantitative analysis impossible. When there was a “leak” of information, the offending culprit was impossible to track.