Organizations are getting very serious about how they react to a data breach of confidential information. On January 10, 2013, an employee of a contractor who processes Medicaid prescription transactions lost a USB drive with about 6000 patients’ names, Medicaid identification number, age and recent prescription drug use history. Less than a week later, she was fired.
The organization affected was the Utah Department of Health. It uses Goold Health Systems to process pharmacy claims for Utah’s low-income health program. The breach occurred because a Goold employee copied a report containing the confidential information on 6000 Medicaid enrollees to an unencrypted USB drive. She left the company facilities with the thumb drive in her possession. She copied the report to the thumb drive because she was having trouble uploading it to a secure file server, which is the normal process. She planned to upload it later. According to Goold, doing this is against company policy.
There are numerous problems in this scenario.
The first is the employee didn’t realize copying personal health information (PHI) onto a thumb drive was against company policy. I don’t if that’s true or not. Maybe she knew, but thought it was no big deal. If she didn’t know, then the company has a serious training problem. Anyone dealing with PHI or any sensitive data needs to be trained on proper handling of the information. If she knew and did it anyway, the training isn’t very effective. Someone besides the employee may need to be held accountable.
The next problem is that confidential information is not encrypted. At a minimum, the company should either restrict copying information to a USB drive or all USB drives used for company business should be encrypted.
A better approach is to encrypt the document itself rather than relying on people to use encrypted devices. When the employee created and downloaded the report, a persistent security policy should be applied to the document. The security policy defines who can view, edit, print, copy and save the file. If the employee copied an encrypted file to a thumb drive and lost it, there is no data breach and no problem. According to HIPAA regulations, if the information is encrypted, there are no data breach reporting obligations, since no PHI has actually been released.
If a sensitive document accidentally gets into the wrong hands, the information in it is worthless. It looks like random characters unless the person reading it has the appropriate access rights. As soon as Goold realized they had a potential data breach, they could have immediately revoked access to the document. This effectively kills all access to it.
Goold may be liable for penalties and legal action under Utah data breach legislation and HIPAA. It’s possible that the thumb drive was thrown into the trash and no one will ever see it, but it’s also possible that someone may find the information and use it for identity theft. Either way, the laws are fairly explicit.
Violating policy on PHI is serious business. In this case it got someone fired. Anyone dealing with protected information needs to encrypt it to prevent a possible data breach.
Photo credit alisdair