The letters aren’t required by any law
They should be.
If you touch any personal information in any way (let alone medical), touching any known compromised system without very clear documentation of how the compromise happened, how it was resolved, and very clear process changes to make sure it doesn’t happen again should be a massive fine per user you service, plus treble actual damages. It’s gross negligence.
Having clear documentation of an attack isn’t red tape. It’s the absolute bare minimum.
One more point: a well structured law would likely lower the administrative burden on affected parties as well.
Service providers are asking because they genuinely need to know, and because medical information is pretty much the only area where there are comprehensive regulations on data protection. They could absolutely be held responsible for the negligence of allowing a known infected system to infect them. A known compromised system is known to be compromised until you’ve fully evaluated the attack vector, the scope of access, and taken steps to prevent that attack from happening again.
But because there isn’t a legally standardized mechanism to report security issues, vendors are rolling their own. Many of them would be perfectly satisfied accepting an official, standard, form, especially is there was some language that made it clear that acceptance of the form for reports was enough of a “best practice” to limit their liability if the system infected them after the fact.
Paywall
