Avoid Reading This Post If You’re Located in Rock County, Wisconsin.
Imagine this, you’re unsuspectingly going about your day in Rock County, Wisconsin, and only to find out much later that some sneaky cyber bug managed to infiltrate your county’s systems back in September and dip its grimy, virtual fingers into your data. Salty as a bag of chips, aren’t we? Especially when it seems the powers that be decided it wasn’t necessary to share the nitty-gritties about this unfortunate event with you. Not even the folks at the county board seemed privy to all the details.
Let’s pop the kettle on and have a chinwag about what didn’t make it to the local gossip mill. Now, don’t you think that as potential casualties of data breaches, we have a right, nay, a need, to be aware of the muck-up so we can assess the soy sauce we’re in and protect ourselves accordingly? This mystery is a bit like your nan’s trifle, layer upon layer.
Ye bobs, we’re apparently part of a “hybrid organisation” when it comes to data under HIPAA. Essentially, some of the files that some wrong ‘un gained access to, triggered compulsory notifications to individuals and the U.S. Department of Health and Human Services (HHS). At least that’s what they told the county board in mid-November. Three steps, they said, after a cyber-attack on health information: an investigation (which they claim to have a “pretty good idea” about), a data review, and then the notification process.
Did they disclose, oh by the way, they were legally obligated to announce the breach to the individuals and HHS no more than 60 calendar days from the date they twigged that they’d had a breach? And, pray when was that glorious moment, you ask?
Aside from this bureaucratic malarkey, there seems to be this penchant for opacity. Our beloved Rock County Administrator Josh Smith, along with a couple of others, felt it in our best interest to be kept in the dark about the cyber attack, less the naughty miscreants use any disclosed information as “leverage”. His reasoning was about not “connecting dots that could negatively affect the county,”. But what about the effects on us good folks!
By the end of September, it wasn’t much of a secret anymore that the cyber ruffian was the ransomware group dubbed Cuba, rumoured to be chums with Russia. The implication was to prevent, yet again, the dot connection that could bring unwanted attention to the county. But is it not us, the good people of Rock County, who might face the real brunt?
Prioritising the county’s reputation, and belittling our right to know feels a bit like the plot of a budget spy film, don’t you think? If only we were told about its presence on the dark web, perhaps we’d be in a better position to safeguard ourselves. This right to know should never be at the mercy of the discretion of a local IT team or legal eagles who might have priorities beyond helping out us victims.
This brings us back to our age-old argument – we need ground rules, and quick, to decide what gets shared so that victims are armed with all the information. As it stands, the HHS has an open case involving a previous debacle with Rock County’s Human Services Department. That affected over 25,600 patients.
So, let’s get our ducks in a row, pull up our British socks, demand transparency, and look out for one another. We’ve got our tea, we’ve got our wit, and we’ll certainly not be kept in the dark.
by Parker Bytes