One unique aspect of information is that it can be stolen, yet remain in the owner’s possession. Apparently, medical facilities are required to report if your medical information is stolen, but not if it is merely kidnapped and held for ransom.
“Some Cyberattacks Go Unreported,” The Wall Street Journal, June 19, 20127 B3. Whether hospitals need to report a ransomware attack of their files as a data breach is a “gray area,” and the federal government doesn’t require such reports, even if the government knows about them. Some hospitals don’t report ransomware attacks, so these attacks are not in the HHS statistics.
So, patients don’t know when hospitals have weak security protection. What value, then, are the government statistics? Do they need a big asterisk?