Do you authorize the use of mobile devices in your healthcare practice? Remember to safeguard privacy on mobile devices and prevent a privacy breach.
You Can Use This Privacy Breach Example to Review and Improve Your Practices
USB Flash Drive Missing
In June 2015, Newfoundland’s Eastern Health Authority (EHA) notified approximately 9,000 employees that their personal information contained in their employee records was compromised when a USB flash drive with their data on it had been lost. The Human Resources department had electronically scanned employee files so that hard copies of the files could be stored offsite.
This loss of control over employee records is a violation of Access to Information and Protection of Privacy Act (ATIPPA) and was reported to the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC).
Missing USB Drive NOT Encrypted
When the EHA discovered the USB flash drive missing, they searched the office and hired a third party specializing in this type of search to go over the office area.
The EHA conducted an internal investigation that included determining the type of information lost. They discovered there was personal information on the USB drive including employee names and some employees’ social insurance numbers (SIN).
The next step was to alert the employees affected by the breach.
The EHA first notified employees with the highest risk of significant harm (ROSH) because of the type of information included in the breach (for example, social insurance numbers) by phone. The remaining employees were notified by letter.
The EHA also provided information to the affected individuals on how to protect themselves from identity theft, and they offered to cover the cost of a credit check for any employee wanting one.
What Came From the Breach
The USB flash drive in question was found in August in a file folder.
To prevent a similar incident, the EHA has taken a number of precautionary steps:
- EHA plans to upgrade their system, so USB drives are automatically encrypted before being used.
- EHA has requested that all non-encrypted USB drives currently in use be returned and securely destroyed.
- EHA is no longer using SIN to index and transfer employee files.
- EHA also will review and update their policy regarding the issuance, control, and use of mobile devices.
The OIPC determined that the EHA responded adequately to the privacy breach complaint.
Privacy Nuggets That You Need to Know
Step 1 – Spot and Stop – The privacy breach was brought to EHA’s attention by the office that lost the USB flash drive. This is the first step in privacy breach awareness – spot the privacy breach and stop it.
Step 2 – Investigate – EHA identified what information was lost and the individuals affected by the incident.
Step 3 – Notify – EHA subsequently notified the affected individuals directly. The custodian also made the information about the breach public and provided the employees affected with information to protect themselves against any further harm.
Step 4 – Prevent the breach from happening again – EHA took steps to make sure this type of breach doesn’t happen again. Proactive steps—like requesting non-encrypted USB drives currently in use be returned and securely destroyed, and ensuring that only encrypted mobile devices can be used—are reasonable safeguards that all businesses should implement now.
When we know better, we can do better
I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.
Jean L. Eaton, Your Practical Privacy CoachReady for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”
FREE 15-minute Privacy Breach Awareness On-line Training.
Along with your registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!
References and Resources
Eastern Health blames ‘errors in judgement’ for privacy breach; health authority missing flash drive with names, data for 9,000 employees; Dantel MacEachern, firstname.lastname@example.org, Published on June 26, 2015
Commissioner Satisfied with Steps Taken by Eastern Health in Response to Breach, Newfoundland Labrador Office of the Information and Privacy Commissioner. September 4, 2015 http://www.releases.gov.nl.ca/releases/2015/oipc/0904n04.aspx
Information Privacy Commissioner of Ontario. Safeguarding Privacy on Mobile Devices. Posted August 2016. https://www.ipc.on.ca/wp-content/uploads/2016/08/safeguarding-privacy-on-mobile-devices-e.pdf