[Dataloss] 88 million... is it really an accurate number?

[lyger]

On Tue, 27 Jun 2006, blitz wrote:

": " I would imagine any combination of personally identifiable information that
": " could be used to impersonate someone.
": " Medical records are supposed to be protected under the HIPPA laws, but to
": " date, NO ONE has been prosecuted/fined for violations, and they are indeed
": " widespread. I myself have had private medical information leaked. I filed a
": " complaint, but it falls on deaf ears. Ears that are intending to protect
": " the wrongdoers.
": " 
": " 
": " At 19:05 6/27/2006, you wrote:
": " > And what is a "record" in this case?  A single name-to-address or
": " > name-to-SSN mapping, or the whole block of name/addr/phones/ssn/
": " > license-plate/preferred-underwear-brand/criminal-record/allergy-list?
": " > 
": " > _H*

Hobbit's question leads to yet another question regarding uniqueness:

You're an American citizen and have three credit cards.  Two are VISAs,
one is a MasterCard.  Are you:

1.  One "record" because of your name and mailing address,
2.  Two "records" because you have two different brands of cards,
3.  Three "records" because you have three unique card numbers, or
4.  Six records because of the cross-references between your card brands
and card numbers that seem to exist in various databases?

I can't honestly answer that question, so any insight would be 
appreciated.  Are combined raw numbers really useful?  Example = Ohio 
University.  In their four or five breaches, are they counting for 
uniques?  Did one person's records live on five different breached 
servers? One media story says 360,000.  Another says 70,000.  Is the media 
counting "records", "names", "unique individuals", or some other criteria?  

(if responding, please post below for easier thread-following)