Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

9,000 Employee Records Lost

Posted on May 1, 2017 by Jean Eaton in Blog

Do you authorize the use of mobile devices in your healthcare practice? Remember to safeguard privacy on mobile devices and prevent a privacy breach.

You Can Use This Privacy Breach Example to Review and Improve Your Practices

USB Flash Drive Missing

In June 2015, Newfoundland’s Eastern Health Authority (EHA) notified approximately 9,000 employees that their personal information contained in their employee records was compromised when a USB flash drive with their data on it had been lost. The Human Resources department had electronically scanned employee files so that hard copies of the files could be stored offsite.

This loss of control over employee records is a violation of Access to Information and Protection of Privacy Act (ATIPPA) and was reported to the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC).

Missing USB Drive NOT Encrypted

When the EHA discovered the USB flash drive missing, they searched the office and hired a third party specializing in this type of search to go over the office area.

The EHA conducted an internal investigation that included determining the type of information lost. They discovered there was personal information on the USB drive including employee names and some employees’ social insurance numbers (SIN).

The next step was to alert the employees affected by the breach.

The EHA first notified employees with the highest risk of significant harm (ROSH) because of the type of information included in the breach (for example, social insurance numbers) by phone. The remaining employees were notified by letter.

The EHA also provided information to the affected individuals on how to protect themselves from identity theft, and they offered to cover the cost of a credit check for any employee wanting one.

What Came From the Breach

The USB flash drive in question was found in August in a file folder.

To prevent a similar incident, the EHA has taken a number of precautionary steps:

  • EHA plans to upgrade their system, so USB drives are automatically encrypted before being used.
  • EHA has requested that all non-encrypted USB drives currently in use be returned and securely destroyed.
  • EHA is no longer using SIN to index and transfer employee files.
  • EHA also will review and update their policy regarding the issuance, control, and use of mobile devices.

The OIPC determined that the EHA responded adequately to the privacy breach complaint.

Privacy Nuggets That You Need to Know

Step 1 – Spot and Stop – The privacy breach was brought to EHA’s attention by the office that lost the USB flash drive. This is the first step in privacy breach awareness – spot the privacy breach and stop it.

Step 2 – Investigate – EHA identified what information was lost and the individuals affected by the incident.

Step 3 – Notify – EHA subsequently notified the affected individuals directly. The custodian also made the information about the breach public and provided the employees affected with information to protect themselves against any further harm.

Step 4 – Prevent the breach from happening again – EHA took steps to make sure this type of breach doesn’t happen again. Proactive steps—like requesting non-encrypted USB drives currently in use be returned and securely destroyed, and ensuring that only encrypted mobile devices can be used—are reasonable safeguards that all businesses should implement now.

When we know better, we can do better

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

Ready for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”

FREE 15-minute Privacy Breach Awareness On-line Training.

Along with your registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!
Read More

ATIPPA, employee records lost, encrypt, flash drive lost, healthcare, medical, mobile devices, privacy breach, privacy nuggets, risk of significant harm (ROSH), USB drive lost

iPhone Stolen with 412 Patient Health Records

Posted on April 17, 2017 by Jean Eaton in Blog

Do you authorize the use of mobile devices in your healthcare practice? Remember to safeguard privacy on mobile devices and prevent a privacy breach.

You Can Use This Privacy Breach Example to Review and Improve Your Practices

A business associate (contractor) of the Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia had their iPhone stolen. This iPhone contained unprotected and unencrypted Personal Health Information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) started their investigation on April 17, 2014, and found that a total of 412 patient health records were compromised.

Protected Health Information at Risk

The data on the iPhone included security data, protected health information, social security numbers, family member contacts, treatment, and medication details.

Before a healthcare provider (also known as the custodian) authorizes the use of mobile devices to manage patient records, they must conduct a specific risk assessment to (1) determine the threats of mobile technology and (2) secure the data. Reasonable safeguards include written policies and procedures that authorize the use of mobile technology and identify the risks, as well as a mitigation strategy (including additional training to the employees using mobile technology) to ensure that they are aware of the added security risk. The incident investigation found that CHCS did not have these reasonable safeguards in place.

[clickToTweet tweet=”Are you using mobile devices in your #healthcare practice? This #PrivacyBreach could happen to you!” quote=”Are you using mobile devices in your healthcare practice? This privacy breach could happen to you!”]

$650,000 Fine

The OCR fined CHCS $650,000 and imposed monitoring of the business associate and CHCS to ensure compliance with HIPAA regulations for the next two years.

Privacy Breaches – What You Need to Know

This use of mobile devices in healthcare is common and breaches are easily preventable. The following information will help you to prevent a privacy breach.

  1. Policies and Procedures. You need a policy that states whether or not you allow employees to use their own mobile devices at work, and if so, for what purpose(s). (This is also known as bring your own device or BYOD.) This includes texting co-workers during work hours or accessing their work email from their smart phone. If you provide mobile devices to your employees so that they can do their jobs remotely (from their home office or when attending clients away from your practice), you must also conduct a specific threat risk assessment to determine the threats of mobile technology, secure the data, and implement reasonable safeguards.

Generally, when a mobile device containing personal identifying information is lost or stolen, the device must have both a strong password protection and encryption to not be considered a breach of personally identifying information.

  1. Training. It is important that you provide specific training to your staff to ensure that they understand the additional specific risk of having personal information on mobile devices. Employees must know their responsibilities to protect the personal information of your patients, clients, and your practice. The custodian should keep record attendance to ensure that training is provided.
  2. If you have contractors, vendors, or business associates who provide services and use mobile devices, you are responsible to ensure that they also have strong policies and training or follow your policies and training. In Alberta, make sure that you have an Information Manager Agreement (required by the Health Information Act (HIA) s.66) with your contractor, vendor, or business associate.

When we know better, we can do better

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

Ready for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”

(7 minute video).

Read More

healthcare, iPhone stolen, iPone, medical, mobile devices, privacy breach, privacy breach nugget

Is a Hosted Email Solution For You?

Posted on January 29, 2016 by Jean Eaton in Blog

Is your email secure? Backed up? If you suddenly lose your email, calendar, or contact list, this could either be a speed bump in your busy day, or a nightmare that may take days or weeks and a lot of money to recover.

If you use email as temporary communications or your primary method of business, it needs to be managed securely. When you or your staff use email from multiple devices – such as your desktop computer, smart phone, or website – you have additional privacy and security requirements.

Many small businesses have purchased an email software system like Outlook as part of their desktop software. Unfortunately, recent software updates from Microsoft do not include Outlook; you are encouraged instead to purchase MS Office 365 software where all of your email is stored on the MS Cloud.

Some businesses use free email accounts – like gmail or yahoo – where emails, calendars, and contact information is on the public cloud. It is accessible from any internet connection but is difficult to back up to a local device that you can control.
If you use email to transact business – employee records, business contacts, company newsletters, subscriptions, financial or consumer purchases, or personally identifying messaging – you need to meet privacy and security requirements.

Previous versions of Windows Server Small Business Server (SBS) edition included Microsoft Exchange so small businesses could create their own in-house email server. This is not included in Windows Server 2012 Essential (SBS replacement). But small businesses still have a few options:

  • Buy the Microsoft Exchange Server full licenses, although it can be quite expensive
  • Sign up to Office 365 which is a hosted / cloud based Microsoft Exchange service from Microsoft with email hosted in the USA. Offices will need to determine their level of risk using personally identifiable information in emails – including sensitive information like credit card, payroll, health information, and other sensitive content – which will be stored out of Canada and subject to US legislation and uses.
  • Contract with a Canadian hosted Microsoft Exchange service with a Canadian based cloud service provider. This might be a cost effective solution and permit full access to email in an environment which is backed up and more easily accessible.

Features offered with a hosted email service

There are many features offered with a hosted email service:

  • Collaboration is easy as you have access to group calendaring and scheduling, shared contacts, folders and calendars, tasks and task delegation, as well as public email folders.
  • Fully functional email software.
  • Sync capabilities to your smart phone without worrying about viruses, spam, or malware, and mail archiving is automatic. Store as much or as little email as you need and do so without dealing with annoying ads.
  • Anti-phishing, anti-virus, and malware software are attached to each email connection.
  • No data ‘left behind' on the device – all data is securely maintained in the hosted email. If a mobile device is lost or stolen, business email is not compromised.
  • You can apply business rules – for example, emails can be prevented from being forwarded to an employee's home gmail account. Employees can securely work from home.
  • All business data is maintained by the business. So if your employee wins the lottery and doesn't come back to work, all business emails have been maintained in the hosted email and not on an employee's home computer.
  • Data is encrypted during the internet transmission.

To get a Hosted Email, you will need internet access with a data plan. You can continue to use your desktop computer and its cable internet access. When you use mobile devices, you can use your mobile provider data plan (Rogers, Bell, Telus, etc), or connect to a trusted WiFi connection.

You are still responsible for good security practices at your location including:

  • Unique user ID and password on your computer network – including mobile devices – and
  • Good password management – complex passwords that are changed regularly
  • Physical safeguards to ensure that your work locations – including mobile locations – are secure from theft
  • Common sense awareness – don't open suspicious phishing or spam emails

Business-class Microsoft Exchange email hosting services mean you're always in touch and up-to-date, in the office or on the road accessing your mobile email.

3 Things to look for in a hosted email solution vendor

  • Canadian provider with data centres only in Canada (Alberta preferable)
  • Reputable company with proven track record
  • Contract including:
    Termination clause – when the contract terminates, the vendor will:
    Notify you in advance of termination
    Allow local back up of your data or data transfer
    Validate that your data has been completely and securely deleted from the data centre
    Encrypted at the data centre – no one at the data centre can read your information and it is secure from someone else hacking into the data centre to steal your data

Confirm your backup plan for your email accounts.  If you don't have one, create a plan.

business associate, BYOD, good security practices, hosted email service, mobile devices, MS Cloud, privacy, SBS, security, Windows Server 2012 Essential

Private Event Complimentary for Microquest Clients

Posted on December 21, 2012 by Jean Eaton in Blog

Webinar – Clinic Manager's Privacy and Security Top 10 List

Time to update your Privacy Management Program plan for 2013! This workshop is an essential and effective hour long presentation on the Top 10 Privacy and Security issues facing Clinic Managers and Privacy Officers.

Webinar Series: Clinic Manager's Privacy & Security Top 10 List

Friday, January 18, 2013

11:30am – 12:30pm

Includes: HealthQuest Appointments application, HealthQuest iPad Forms application, Email security, mobile devices, managing vendor agreements, privacy breaches, privacy officer role and responsibility, training, and more.

Facilitated by Jean Eaton, Information Managers Ltd, and Rita Hielema, Microquest.

Email security, HealthQuest Appointments application, HealthQuest iPad Forms application, managing vendor agreements, mobile devices, privacy, privacy breaches, privacy officer role and responsibility, training, webinar

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

The Data Privacy Day E-Course was very helpful and it made you think more seriously. I actually made some changes to my computer along way.

- Danielle

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}