GAO: Data privacy protection must keep up with technology

Data privacy protection laws should be updated with the ever-changing technology landscape, according to a statement written by Government Accountability Office Director of Information Security Issues Gregory C. Wilshusen presented to a senate subcommittee on homeland security this week.

Wilshusen, whose written statement was meant for all government agencies, identified three areas he said were not fully adhering to key privacy principals:

  • Consistent application of privacy protections for federal collection and personal information use purposes.
  • Limiting use of personally identifiable information to a stated purpose.
  • Informing the public about privacy protections.

The statement specifically uses two events from this year as illustrations of the importance for improving security practices: a $1.5 million settlement paid by Blue Cross Blue Shield of Tennessee to the U.S. Department of Health & Human Services in March 2012 following the theft of 57 unencrypted computers containing patient information on more than 1 million individuals and the April 2012 breach of the Utah Department of Health, in which 280,000 people had their Social Security numbers exposed.

"Incidents such as these illustrate that sensitive personally identifiable information remains at risk and that improved protections are needed to ensure the privacy of information collected by the government," Wilshusen wrote. "Ensuring the privacy and security of personal information collected by the federal government remains a challenge, particularly in light of the increasing dependence on networked information systems that can store, process and transfer vast amounts of data."

One suggestion Wilshusen offered was for Congress to think about amending the Privacy Act of 1974 and the E-Government Act of 2002 so that each covers all personally identifiable information used by the federal government.

Nearly 21 million individuals have been affected by large health data breaches since September 2009, according to the HHS Office for Civil Rights, iHealthBeat reported this week.

To learn more:
- here's the statement (.pdf)
- here's the iHealthbeat post