… Articles about cancer research in scholarly journals are the lifeblood of the fight against cancer. For doctors and researchers, flagship journals such as The New England Journal of Medicine, the Journal of the American Medical Association (JAMA) and The Lancet are critical for keeping up to date with the latest breakthroughs, establishing new standards of care, and improving treatments for patients.
In January, a proposal was put forward by the editors of these publications, the International Committee of Medical Journal Editors, that poses a serious threat to the privacy of patient data. In it, the editors would require that investigators of clinical trials make publically available within six months of publication de-identified (i.e., anonymous), individual patient data underlying the results presented in the trial.
that Adam Schefter violated Florida Statute § 456.057, which states in a nutshell that medical records maintained by hospital, clinical laboratories, and other health care practtioners shall be kept confidential. Specifically under subsection 7(a) of the Florida Statute, records shall only be provided to the patient, his/her legal representatives, and other health care providers. Medical records under this statute shall not be disclosed to anyone else without the patient’s written consent. The complaint specifically asserts that Schefter is in violation of § 456.057(11) which states that a third party in receipt of medical records is “prohibited from further disclosing any information in the medical record” without the patient’s express written consent. Likewise, the complaint holds Jackson Memorial Hospital accountable for disclosing the records in the first place without his consent.
Jason Pierre-Paul also accuses Schefter of invading his privacy. Invasion of privacy is a common law tort offense that comes in various forms. Here, it comes in the form of public disclosure. Pierre-Paul alleges that this medical information about his amputated fingers was private and that publishing them on a very large scale was offensive to him. To prove any public disclosure-invasion of privacy claim, the plaintiff has the burden of proving that 1) private information pertaining to him was disseminated to a large audience and 2) the information that was shared is not of public concern.
The lawsuit also holds ESPN responsible for Schefter’s actions under the respondeat superior doctrine, which is a very fancy legal term which states that employers are held accountable for the actions of their employees that are performed in the course of their employment.
Needless to say, Schefter was simply doing what any great journalist does best, which is to share the news. Whether it was right for him to tweet the medical records is more a matter of journalistic ethics. ProFootballTalk opined on this matter, questioning whether Adam Schefter really needed to share Jason Pierre-Paul’s medical records to the whole world. But as a matter of law, Schefter and ESPN seem to be in the clear and I would expect this case to be dismissed.
The records — which include a tally of security incidents reported by HHS components between January 2013 and September 2015 — provide a very high-level view of the challenges the department faces. On the whole, HHS reported 26,381 incidents over a 30-month period: 40 percent of which were categorized as unauthorized access; 14 percent as scans, probes or attempted access; and 12 percent as malicious code.
But certain trends become apparent after parsing the data.
For instance, over that time period, CMS reported 7,600 incidents of unauthorized access, a category the National Institute of Standards and Technology defines as “a person [gaining] logical or physical access without permission to a network, system, application, data or other IT resource.” These incidents — accounting for 56 percent of all reported incidents — could signal a network breach by a malicious actor. More often than not though, such incidents are merely an employee or contractor accessing a system outside the scope of their work. That’s a violation of protocol perhaps, but not malicious.
In contrast, CMS only discovered 250 instances of malicious code embedded in its systems, the lowest among the major incident categories reported, accounting for less than 2 percent of its total reported incidents. The majority of HHS components followed this same track, though not to the same extreme.
CDC and NIH were exceptions. For both, malware stood as a predominant threat vector.