He who sits on the fence and does not actively take measures to implement an incident discovery and reporting system that is up to its task may hence be punished by life, if not by the supervisory authority. On the other hand, one may justly assume that the mere suspicion or assumption that a breach may have occurred does not suffice to trigger a duty to report and if a Medical Data Breach remains unnoticed by the data processor’s state-of-the-art incident reporting system, no liability can arise from a failure to report the breach. Even so, private and public data controllers and processors will find it difficult to comply with this obligation.
A premature report to the supervisory authority can have serious consequences on the reputation of the company and on its market chances, and may also seriously damage the customer goodwill that took so long to acquire. In the end, however, any Healthcare Data Breaches processor would be ill advised to wait too long and to try to conceal a Medical Data Breach from the supervisory authority and the public. Once an incident has been discovered by the processor’s IT-system, the CIO and CPO should react swiftly and follow a procedure that guides them through all steps necessary to verify the breach, its consequences and possible causes and to alert the CEO or board so that the incident can then be reported to the supervisory authority without undue delay.
Also, irrespective of the regulation itself, and as has been demonstrated by recent cases if Medical Data Breach are reported to the data subjects belatedly, it has the potential to cause greater damage to the trust between the data subject and the company than if the data subject is informed promptly. Data Breaches In Healthcare are hence requiring excellent soft skills from those responsible for their reporting to the outside world in determining the right point in time to inform data subjects.
Considering the complexity of assessing possible data breaches and the task to find a cure if one occurred, we hope that the Medical Data Breach Board will promptly issue guidelines, recommendations and best practices for establishing the data breach and determining any undue delay in reporting them.