The Centers for Medicare & Medicaid Services and the U.S. Department of Veterans Affairs are among eight federal agencies chastised in a new Government Accountability Organization report for inconsistency in responding to data breaches involving personally identifiable information. The report is based on a performance audit of the agencies conducted from November 2012 through November 2013.
CMS, the report's authors say, failed to document both risk levels and rationale for their risk determinations with regard to incidences reviewed by GAO. Specifically, CMS did not document a risk level for 56 of 58 incidents.
What's more, both CMS and VA did not always document the number of individuals impacted in each case. In the case of CMS, the agency documented affected individuals in slightly more than half of the incidents reviewed (31 of 58). The VA, however, failed to document a single affected individual in 60 incidents reviewed.
"While it may not be possible for an agency to determine the exact number of affected individuals in every case, an estimate of the number of affected individuals is important in determining the overall impact of the data breach," the report's authors said. "Until CMS [and] VA ... document the number of affected individuals for each incident involving PII, they run the risk of improperly assessing the likely risk of harm associated with each incident."
CMS and VA also failed to consistently document lessons learned from such breaches, according to the report. The authors said that while guidance from the Office of Management and Budget "did not specify requirements for identifying lessons learned" that could help with future data breach prevention, the National Institute of Standards and Technology stresses documentation of lessons learned to ensure accuracy in breach response policies.
"Without more specific guidance on addressing and documenting lessons learned, these agencies are at risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented," they added.
A report published in December 2012 by the Ponemon Institute determined that data breaches were costing health organizations close to $7 billion annually. Still, privacy experts speaking last summer at the Healthcare Privacy Summit in Washington, D.C., called current efforts to deal with health data security too reactive.
The U.S. Department of Veterans Affairs in July motioned to dismiss a lawsuit brought against it following a data breach made public last April by the William Jennings Bryan Dorn VA medical center in Columbia, S.C. In that breach, personal information for nearly 7,400 veterans was put at risk when a laptop was stolen from the facility in February. Shortly after those impacted were notified, two veterans--Richard Beck and Lakreshia Jeffrey--sued the organization, claiming that VA officials failed to implement "basic computer safeguards."
To learn more:
- read the GAO report (.pdf)