Proper management of data is critical for everyone, both employees and consumers. Breach of personally identifiable data including Social Security Number (SSN), driver’s license number, medical record or financial record/credit/debit card is destructive and insidious. The ITRC (Identity Theft Resource Center) recently released a large number of breaches that occurred from 2005 to June 5, 2014. According to the report, 4,579 breaches were reported and 630,870,450 records were exposed, which clearly indicates the seriousness of this issue.
Data Leak at Rady’s Children’s Hospital – a Case in Point
The reason for a data disclosure that occurred at Rady Children’s Hospital in 2012 was the mistake of employees, who forwarded some of their patients’ private health information to a handful of job applicants. The employee did not realize that the information was of confidential nature. As per the report, a spreadsheet that contained protected information of about 14,121 patients was forwarded to four job applicants. These applicants forwarded the document to two other people. When contacted, the officials could clarify that the wrongly sent spreadsheet was deleted, and two of the recipients were unable to open the file.
There was another data breach as well in the same hospital in 2014 that came to light during the investigation of the first. In this another employee emailed a training exercise to 3 job candidates. This was the wrong file and contained patient information. This private patient data was seen by six more candidates who came to take a test. The file contained data on 6, 307 patients – their names, locations, discharge dates, insurance company names, outstanding balance and so on.
Handling Data Breach Appropriately
Data security is something that cannot be compromised in any organization. Officials handling sensitive information have to be extra cautious and implement appropriate measures that will ensure total confidentiality. Rady Hospital is taking actions to notify the affected individuals and their families at the earliest possible.
Once an information breach has occurred, hasty measures must be adopted to regain security, and to protect the goodwill of the organization. First of all, capture relevant data on the incident, and record it appropriately. Other actions to be performed are:
- Recording the exact date and time of the breach.
- Document everything regarding the incident such as who discovered it, how the breach occurred, and the persons who know about it.
- Preserve evidence by securely protecting the premises where breach has occurred.
- Document the response of those who discovered the breach.
- Review protocols regarding disseminating information.
- Bring in a forensics firm or notify law enforcement for further investigation, if needed.
Rady Children’s Hospital is adopting some measures to prevent data breaches in future. The hospital will now use only “validated testing programs” to evaluate future candidates. In addition, they are implementing email encryption to protect sensitive data and to educate employees about privacy policies.