Identity Theft

Medical data breach rule needs more work; World Privacy Forum files comments with HHS requesting changes

Data Breach | HHS HITECH Breach Notification — The World Privacy Forum filed comments on the HHS data breach rulemaking and asked for substantive changes in several areas. In particular, WPF asked HHS to expressly state a requirement for a breach risk assessment in the final rule itself, and to set a requirement that the risk assessment must be conducted by an independent organization. The WPF also asked that HHS set breach risk assessment standards so that there is some uniformity and guidance as to what constitutes an appropriately rigorous risk assessment when a breach occurs. In the comments, WPF also discussed the relationship between medical identity theft and medical data breach and how this impacts patients and consumers.

OECD reaffirms its support for the 1980 OECD principles on privacy, or “Fair Information Practices”

OECD | Fair Information Practices — At a key meeting of the OECD on the future of the Internet economy, the OECD Secretary General Angel Gurria reaffirmed support of the 1980 OECD Privacy Principles. Also, Secretary General Angel Gurria expressed support for formalizing the participation of civil society in OECD going forward and for paying more attention to information security and identity theft problems. Secretary General Gurria noted that “A more decentralised, networked approach to policy formulation for the Internet Economy that includes the active participation of stakeholders needs to be the norm.” Many parts of the recent OECD meeting may be viewed online.

World Privacy Forum files comments with FTC regarding credit -based insurance scoring

Financial privacy — The World Privacy Forum filed comments with the Federal Trade Commission today about its proposed study of credit -based pricing practices for homeowners insurance. The World Privacy Forum requested that the FTC ask insurers if there are specific procedures in place for detecting, mitigating, and responding to consumers who have been victims of identity theft. The WPF noted its support for the FTC’s use of the FTC Act Section 6(b) authority to acquire robust information from the insurance companies.

New FTC statistics affirm World Privacy Forum’s 2006 Medical Identity Theft report; give first robust medical identity theft statistics

Medical identity theft update — The Federal Trade Commission released its national ID theft survey, which for the first time contains statistics specific to medical identity theft. According to the FTC report (p. 21), 3 percent of all identity theft victims in 2005 were victims of medical identity theft, which means of 8.3 million ID theft victims, approximately 250,000 people were victimized by medical identity theft in that year alone. The purpose of the World Privacy Forum 2006 report was to prove that medical identity theft existed, and was already occurring in large numbers. At the time the report was published, the crime of medical identity theft had not been specifically studied, nor was it understood to exist. The FTC statistics abundantly affirm the thesis and conclusions of the WPF report.