The regulation defines a Health Data Breach as the casual or unconventional termination, loss, modification, unlicensed revelation of, or approach to, Health Data Breach sent, stored or other prepared. This broad range of events proves the point that the cause of a collection breach is by and large irrelevant: a breach occurs not only if a information controller or processor’s system is hacked by external perpetrators, but also in any case where a dissatisfied employee destroys or steals individual data willfully.
Besides, any accidental data loss due to the application of back-up routines that turn out to be less than fail-safe, or the loss of personal data due to a virus or Trojan, must also be considered a Health Data Breach within the meaning of Article 4 in connection with the regulation.
When Is A Health Data Breach Report Due?
According to the first draft Regulation, a Health Data Breach was to be reported within 24 hours from the time the breach was established. This reporting duty raised widespread concern among companies in Europe and the U.S. that it may put an unreasonable burden on the data controller that could not be fulfilled. The version of the draft Regulation adopted in October by the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament fortunately eliminated the inflexible 24 hour deadline and instead provided for an obligation of the data controller to report breaches without undue delay after the establishment of a Data Breaches In Healthcare.
This raises the question of when it must be assumed that a breach has indeed been established. Due to the fact that most small to mid-size business, and even some large corporations, still have not implemented an appropriate incident discovery and reporting system, Health Data Breach losses often go unnoticed and are therefore not even established in the first place. Whoever thinks that maintaining this technical status quo and not poking too deep into possible incidents is a good policy had better think twice, however, as a short glimpse into the recitals suggests that ignoring the potential of data losses may not help. Recital, in particular, suggests otherwise by stating.