The headlines this week makes reference to a fairly minor theft of healthcare records at a Los Angeles Clinic. The incident involved a janitor selling 14 boxes of computer reports for $40. The theft exposed 30,000 patient records. Although minor, this incident highlights several major issues that we have covered in our blogs over the last several months.
First, the possibility of a data breach caused by a trusted employee should be on every CEO’s list of threats that could cause significant harm to their business. The 2010 Verizon Data Breach Report states that 48% of data breaches occur as a result of employees stealing confidential information. That’s a 26% increase from 2009. The primary motivation for stealing highly confidential information is typically personal financial gain. There should be little doubt that many employees are feeling the impact of the recession and selling confidential information to your competitors or other more sinister buyers such as organized crime could provide a means for holding off the creditors.
Secondly, the recent enactment of state and federal breach notification laws require organizations to notify all individuals whose personal information was exposed. With regards to the Los Angeles Clinic the postage cost alone amounts to $12,600! Legal costs and damage to their reputation will have further impact on the clinic. I personally would think twice about doing business with an organization that treats confidential information with such careless disregard. I have been shredding confidential documents at home for years. You would think that healthcare operations in 2010 would at least have the common sense to shred documents if they are placing them in the trash.
Third, the lack of an effective top down Data Governance Plan that focuses on areas of people, process and technology combined to cause the loss of confidential information at the Los Angeles Clinic. Executives must be fully invested in governance. Organizations that rely on their IT Department to ensure that confidential information is properly secured are living under a false sense of security. All stakeholders within an organization need to have a role in protecting data and identifying security “blind spots”. Technology exists today to properly protect data throughout its lifecycle (both physically and digitally), but like everything else in life, it is only effective if used properly.