This has been on my mind. A lot. Every day, I open my email to find news about how a company needs to pay a fine or a fee to either an individual or a regulator because data was leaked or stolen. This one in particular caught my eye because it is a classic example of data being accessed by likely the wrong individual and shared with someone who should definitely not have been able to see it. This one seems to be an access control and encryption play. If they were in place, this healthcare entity wouldn’t have to shell out $853K and violate HIPAA regulations in the process.
And this one! It dates back to 2015, but it is still one of the largest hack attacks to date, and the settlement (which was just reached) is nearly $1 million dollars! All because a sophisticated attack allowed the hackers to steal user credentials and 3.5 million patient records. As a result (besides the $900K) MIE has a laundry list of technologies they will be required to invest in as well as implementing “controls during the creation of accounts that allow access to ePHI”.
This tells me something. It tells me that there are still so many companies that do not have strong sensitive data security and privacy controls in place.
And, it leads me to feel even more strongly about the “file centric” approach. A file centric approach means that you are focusing on the actual data, (in both of these cases, PII) rather than the location of the data. Encryption and access control in these cases could have made a significant impact and saved; the victims of the breaches from potential harm like ID theft AND the entities themselves a lot of money. I’ll be talking more in detail about this in my upcoming webinar “Overcoming Unstructured Data Security and Privacy Choke Points” this Thursday, June 6th at 1:30 pm. I’ve embedded the link so you can go ahead and register.
See you then!