If an organization in the United States, Canada, Europe and many other countries has a data breach, they are subject to federal, state and possibly industry fines. These can be very stiff in certain industries, especially healthcare. In the US, 47 of the 50 states have data breach notification laws that require any organization that experiences a data breach incident to report it to the proper authorities. In some states, like California, this could be within three days.
Beyond the fines, there are issues of losing customers and the value of a company’s brand. Just look at what happened to Target after a major data breach last year. Not only did the price of its stock drop, but the CEO was eventually fired.
Another major problem is the possibility of a lawsuit. Recently a woman in San Diego sued the Rady Children’s Hospital because of a data breach in June where the hospital inadvertently emailed patient spreadsheets to a number of job applicants. Part of the information exposed was detailed medial information about the woman’s daughter. None of the recipients of this information were authorized to see it, since they weren’t hospital employees or even affiliated medical personnel. These were job applicants who accidentally got an email with the wrong information.
The hospital broke the law with this data breach and violated the Medical Records Confidentiality Act. The information leaked included names, dates of birth, primary diagnoses, discharge and admittance dates. This is not the type of information that should be shared with an unauthorized person.
Unfortunately this was another case of human error or what I like to call an Ooops. As is usually the case with these incidents, none of the personally identifiable information (PII) was encrypted. The hospital did conduct an investigation and states the emails and the spreadsheet were deleted from the recipient’s devices, but this is a little too late. Since many people use public email systems, like Gmail, and many of us have backup and file sharing applications, it’s hard to know if the information is really gone. The hospital said it is increasing its data security to prevent these actions in the future.
One of the proposed measures is to require approvals prior to sending out emails. This may sound good, but may be impractical. If all emails require approval prior to sending, this could become a bottleneck and slow business for the hospital. A better approach would be to encrypt this information at the point of creation. If someone created the spreadsheet, a policy could automatically encrypt it based on the type of information inside. A security policy on the file would determine who can access the information inside and what they can do with it. If the spreadsheet were accidentally sent outside the hospital, it would be useless to anyone not authorized to access it. This would have prevented the job applicants from seeing this sensitive information.
It also would not be considered a data breach event. If information is encrypted in a format not readable by a person, then no data breach event occurred. This is stated in data breach notification laws and other legislation, such as HIPPA.
CEOs and boards have to worry about lawsuits in addition to fines and loss of customer or patient confidence after a data breach. Taking proactive measures that encrypt files and apply security policies to them is the best way to ensure that your customer’s information is safe from unauthorized access. It’s not only the right thing to do, it’s just good business.
Photo credit Eden, Janine and Jim