Massachusetts among 16 states that don't require notification of data breaches

A new survey published in the Journal of the American Health Information Management Association made me aware of something that hadn't caught my eye before. Massachusetts, my home state, is one of a minority of states that DOES NOT have a data security breach notification law. California, which enacted its law in 2003, has the strongest such law in the country and was the inspiration for many other states' laws. In 2006, 27 states had such laws; beginning on January 1, 2007, 7 more state laws went into effect. But not in Massachusetts.

I'm not sure how much such laws do -- in Massachusetts, for example, TJX recently reported a huge data spill despite the fact that we have no such law, and according to a recent survey by PricewaterouseCoopers, as many as 1 out 6 companies required to comply with the California law do not do so.

Ironically, the market may be taking care of this in ways that it hasn't been able to before. TJX stock plummeted after the Massachusetts Bankers Association directly linked cases of fraud to the data spilled by the company (click here for an interesting description of this).

There is much talk about the need for more transparency in the healthcare market. Most healthcare organizations aren't publicly traded, of course, but the idea is that patients will vote with their feet if they see meaningful differences in health care quality among providers. If data breaches start becoming more widely reported, data security could become another factor that patients use to decide where they get their care.