Cause analysis of delayed public announcement of data breaches of patient's personal information

Abstract

The objective of this study was to investigate the amount of time that had actually been taken by medical facilities between detection of data breaches of patients' personal information and their public announcement, as well as analyze factors responsible for the delay in public announcement of data breaches, in order to propose basic protocol that should be adopted by medical facilities to ensure appropriate handling and timely public announcement of data breaches.

A total of 249 cases of data breach on patients' personal information which had been reported or made public through newspapers, websites, and similar channels between 2008 and 2012 were included in the analysis. Statistical characteristics of the data pertaining to time taken before public announcement were identified. In addition, factors which had caused delay in public announcement were also explored using statistical and case analysis.

The study revealed that the time taken before public announcement was within two weeks in three-fourths of the cases (half of them were within one week). However, 10% of the cases required 25 days or more before public announcement. The major factors responsible for delayed public announcement fell into three groups：1) rational reasons such as implementation of preventive measures against further expansion of the damage；2) irrational reasons such as delay in reporting by the person responsible to the breach；and 3) neutral reasons such as discussions to determine responses and measures to be taken.

If the cause of delay in public announcement is attributable to rational reasons, it may be deemed as acceptable. However, delay due to irrational reasons should be avoided. When data breaches occur, actions must be taken as quickly as possible by medical facilities, using a combination of emergency response measures against further expansion of the damage and prudent/correct measures.