Do your staff know how to respond to a privacy complaint? Do your staff, volunteers, or directors login to a server to access documents remotely? Have you done a security assessment to ensure that the access is secure? Do they know how to manage confidential documents once they have downloaded them?
You Can Use This Privacy Breach Example to Review and Improve Your Practices
Do you store confidential documents on your website? After all, a website is a type of a file server accessible from an internet connection that is often hosted by a third party. There is often a public access and a members-only side for authorized users to login and view and download documents.
Maybe you intended only authorized users to access the file – but are you sure that it is secure? Here's what can happen if your confidential documents can be found by the public!
In 2016, personal information of the 285 clients was compiled into an electronic file, prepared for the service’s board of directors on new cases arising between April and November of 2015, but was not properly secured on the agency’s website. The files were subsequently viewed by the public.
An alleged privacy breach at Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG) of Brockville, Ontario in 2016 has led to the agency being sued for negligence, invasion of privacy and a breach of the Canadian Charter of Rights and Freedoms.
The personal information of the 285 clients was compiled into an electronic file, and prepared for the service’s board of directors to review in the course of their business.
The list was publicly available to anyone, who knew the correct URL website address.
Someone accidently ‘found’ the website address and saw the confidential information. She notified the FCSLLG and warned them that the information was available to the public. When she did not receive a response from FCSLLG that acknowledged her concern and correct the problem, she posted the information on Facebook.
[clickToTweet tweet=”If you ignore a #PrivacyBreach, this could happen to you!” quote=”If you ignore a privacy complaint, this could happen to you!”]
The lawsuit seeks $25 million in general damages, $25 million in special damages and $25 million in punitive, aggravated and exemplary damages.
The lawsuit alleges that the FCSLLG website was completely unsecured between February and April 2016, with the full knowledge of FCSLLG.
Privacy Nuggets You Need to Know
We can only wonder about the outcome of the breach if the staff at the agency had promptly responded to the privacy breach complaint. It is possible that if the agency had secured the information immediately and limited any further disclosure that the law suit might had been avoided.
- Know how to properly respond to a privacy and security complaint or privacy breach. Create or review your written procedures now!
- Identify and train a privacy officer in your business.
This unfortunate breach is a good reminder for all businesses to follow-up with your information technology and website host support to ensure that your server has been properly secured and training provided to staff to properly upload files to the secure server. In addition:
- Consider hiring a managed service provider to ensure secure access only to authorized users. If you allow remote access to confidential information, you can’t afford not to have experts to help you!
- Know how to secure documents on your file server.
- Make sure that your authorized users know how to securely manage the documents after they have downloaded them from your secure file server.
There are many privacy breaches in the news each day. The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain.
When we know better, we can do better
I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.
Jean L. Eaton, Your Practical Privacy CoachReady for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”
FREE 15-minute Privacy Breach Awareness On-line Training.
Along with your registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!
References and Resources
FCS faces negligence suit. By Sabrina Bedford, The Recorder and Times, Friday, December 15, 2017, http://www.recorder.ca/2017/12/15/fcs-faces-negligence-suit .