9,000 Employee Records Lost

Posted on May 1, 2017 by Jean Eaton in Blog

Do you authorize the use of mobile devices in your healthcare practice? Remember to safeguard privacy on mobile devices and prevent a privacy breach.

You Can Use This Privacy Breach Example to Review and Improve Your Practices

USB Flash Drive Missing

In June 2015, Newfoundland’s Eastern Health Authority (EHA) notified approximately 9,000 employees that their personal information contained in their employee records was compromised when a USB flash drive with their data on it had been lost. The Human Resources department had electronically scanned employee files so that hard copies of the files could be stored offsite.

This loss of control over employee records is a violation of Access to Information and Protection of Privacy Act (ATIPPA) and was reported to the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC).

Missing USB Drive NOT Encrypted

When the EHA discovered the USB flash drive missing, they searched the office and hired a third party specializing in this type of search to go over the office area.

The EHA conducted an internal investigation that included determining the type of information lost. They discovered there was personal information on the USB drive including employee names and some employees’ social insurance numbers (SIN).

The next step was to alert the employees affected by the breach.

The EHA first notified employees with the highest risk of significant harm (ROSH) because of the type of information included in the breach (for example, social insurance numbers) by phone. The remaining employees were notified by letter.

The EHA also provided information to the affected individuals on how to protect themselves from identity theft, and they offered to cover the cost of a credit check for any employee wanting one.

What Came From the Breach

The USB flash drive in question was found in August in a file folder.

To prevent a similar incident, the EHA has taken a number of precautionary steps:

EHA plans to upgrade their system, so USB drives are automatically encrypted before being used.
EHA has requested that all non-encrypted USB drives currently in use be returned and securely destroyed.
EHA is no longer using SIN to index and transfer employee files.
EHA also will review and update their policy regarding the issuance, control, and use of mobile devices.

The OIPC determined that the EHA responded adequately to the privacy breach complaint.

Privacy Nuggets That You Need to Know

Step 1 – Spot and Stop – The privacy breach was brought to EHA’s attention by the office that lost the USB flash drive. This is the first step in privacy breach awareness – spot the privacy breach and stop it.

Step 2 – Investigate – EHA identified what information was lost and the individuals affected by the incident.

Step 3 – Notify – EHA subsequently notified the affected individuals directly. The custodian also made the information about the breach public and provided the employees affected with information to protect themselves against any further harm.

Step 4 – Prevent the breach from happening again – EHA took steps to make sure this type of breach doesn’t happen again. Proactive steps—like requesting non-encrypted USB drives currently in use be returned and securely destroyed, and ensuring that only encrypted mobile devices can be used—are reasonable safeguards that all businesses should implement now.

When we know better, we can do better

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

Ready for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”

FREE 15-minute Privacy Breach Awareness On-line Training.

Along with your registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!
Read More

ATIPPA, employee records lost, encrypt, flash drive lost, healthcare, medical, mobile devices, privacy breach, privacy nuggets, risk of significant harm (ROSH), USB drive lost

iPhone Stolen with 412 Patient Health Records

Posted on April 17, 2017 by Jean Eaton in Blog

Do you authorize the use of mobile devices in your healthcare practice? Remember to safeguard privacy on mobile devices and prevent a privacy breach.

You Can Use This Privacy Breach Example to Review and Improve Your Practices

A business associate (contractor) of the Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia had their iPhone stolen. This iPhone contained unprotected and unencrypted Personal Health Information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) started their investigation on April 17, 2014, and found that a total of 412 patient health records were compromised.

Protected Health Information at Risk

The data on the iPhone included security data, protected health information, social security numbers, family member contacts, treatment, and medication details.

Before a healthcare provider (also known as the custodian) authorizes the use of mobile devices to manage patient records, they must conduct a specific risk assessment to (1) determine the threats of mobile technology and (2) secure the data. Reasonable safeguards include written policies and procedures that authorize the use of mobile technology and identify the risks, as well as a mitigation strategy (including additional training to the employees using mobile technology) to ensure that they are aware of the added security risk. The incident investigation found that CHCS did not have these reasonable safeguards in place.

[clickToTweet tweet=”Are you using mobile devices in your #healthcare practice? This #PrivacyBreach could happen to you!” quote=”Are you using mobile devices in your healthcare practice? This privacy breach could happen to you!”]

$650,000 Fine

The OCR fined CHCS $650,000 and imposed monitoring of the business associate and CHCS to ensure compliance with HIPAA regulations for the next two years.

Privacy Breaches – What You Need to Know

This use of mobile devices in healthcare is common and breaches are easily preventable. The following information will help you to prevent a privacy breach.

Policies and Procedures. You need a policy that states whether or not you allow employees to use their own mobile devices at work, and if so, for what purpose(s). (This is also known as bring your own device or BYOD.) This includes texting co-workers during work hours or accessing their work email from their smart phone. If you provide mobile devices to your employees so that they can do their jobs remotely (from their home office or when attending clients away from your practice), you must also conduct a specific threat risk assessment to determine the threats of mobile technology, secure the data, and implement reasonable safeguards.

Generally, when a mobile device containing personal identifying information is lost or stolen, the device must have both a strong password protection and encryption to not be considered a breach of personally identifying information.

Training. It is important that you provide specific training to your staff to ensure that they understand the additional specific risk of having personal information on mobile devices. Employees must know their responsibilities to protect the personal information of your patients, clients, and your practice. The custodian should keep record attendance to ensure that training is provided.
If you have contractors, vendors, or business associates who provide services and use mobile devices, you are responsible to ensure that they also have strong policies and training or follow your policies and training. In Alberta, make sure that you have an Information Manager Agreement (required by the Health Information Act (HIA) s.66) with your contractor, vendor, or business associate.

When we know better, we can do better

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

Ready for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”

(7 minute video).

healthcare, iPhone stolen, iPone, medical, mobile devices, privacy breach, privacy breach nugget

New! Privacy Breaches – What You Need to Know

Posted on April 4, 2017 by Jean Eaton in Blog

I have just launched a new series to my Privacy Nuggets newsletters – Privacy Breaches – What You Need to Know.

This newsletter series will be published about every 2 weeks and will look at one privacy breach that has been in the news. I will summarize what happened, what the business did to manage the privacy breach, and specific privacy breach management tips that you can use right away!

You can use the privacy breach example to review and improve your practices.

You will also benefit from other similar privacy resources and articles that you can use right away!

PS – If you are already receive Privacy Nuggets you will automatically receive the new Privacy Breaches – What You Need to Know. You don't need to re-subscribe.

healthcare, privacy breach, privacy breaches what you need to know

Privacy Breach Awareness Training

Posted on February 28, 2017 by Jean Eaton in Training

The biggest mistake in managing a privacy breach is not recognizing the privacy breach!

Join the FREE 15-minute Privacy Breach Awareness On-line Training to discover how you can avoid this mistake and what to do instead.

You can start the on-line education right away from your desktop or mobile internet enabled device.

All you need is a headphone or speakers to listen to the video.

Dealing with a privacy breach in your clinic can be stressful and confusing. What should you do? Who should you contact?

80% of all privacy breaches are caused inside the business

Most of these breaches are an ‘oops’ or honest mistakes. Some breaches are malicious or intentional. Sometimes business have security breaches from outside the business that cause privacy breaches.

If you don’t know how to recognize a privacy breach, you will not be able to manage the breach and prevent it from happening again and again.

This FREE 15-minute Privacy Breach Awareness On-line Training will help your employees to spot a Privacy Breach and know what to do next.

Privacy Breach Awareness Training for YOUR Employees

Includes:

Video – “Can You Spot the Privacy Breach?” (7 minutes)
Learning Resources Guide you can download
Post Test and
Certificate of Attendance

Ideal for front line staff, privacy officers, clinic managers, practice managers, healthcare providers, owners.

Learn the 3 common mistakes made when managing a privacy breach.

Learn from someone else’s mistakes!

Practical tips that you can use right away to protect the privacy of your clients and patients!

With Jean L. Eaton, Your Practical Privacy Coach!

It is easy for you to access the on-line Privacy Breach Awareness Training. Just register for the FREE on-line course.

Remember to check your email for the confirmation message and instructions.

Along with your webinar registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!

Yes, you can share this!

Can You Spot the Privacy Breach?, privacy breach, privacy breach awareness, training

You Have a Privacy Breach. What’s Next?

Posted on February 15, 2017 by Jean Eaton in Blog

In healthcare, we strive to pay attention to details to provide the best care and treatment for our patients and respect the privacy of their personal information. However, we are human and errors do happen.

[clickToTweet tweet=”Did you know – the biggest mistake in managing a #PrivacyBreach?” quote=”The biggest mistake in managing a privacy breach is not recognizing the privacy breach. The second biggest mistake is not knowing what to do about it.”]

How ‘small’ or ‘big’ does a privacy breach need to be, to require notification to a regulator?

What might be the implications to a business if they must report each privacy breach?

Are there other alternatives to mandatory breach reporting that we should consider?

I want to help you to be prepared for these scenarios.

In order for me to better understand how I can best serve you, could you fill out this QUICK 5-minute survey?

I will be summarizing the survey results on an upcoming blog post.

Even if you've never had a privacy breach, or you've had more than one privacy breach, your answers to this brief survey are valuable!

I greatly appreciate your input!

Answer the 5-minute survey right away!

Create your own user feedback survey

privacy breach, survey

Say ‘No’ to Snooping!

Posted on September 28, 2016 by Jean Eaton in Blog

We don't need more cases of people snooping into patient health records.

We do need employers to implement clear privacy policies, privacy awareness training program, implement monitoring and sanctions when employees or
contractors break policies and laws.

And we need employers who know how to prevent a privacy breach and properly manage a privacy breach when it happens.

Employers who don't do this are breaking the law, violating their professional regulations standards, and opening up the doors for the employers to be fined and even jail time.

What are you doing to improve your privacy in your healthcare practice?

You should have:

clear privacy policies
privacy awareness training program – not limited to training on the first day of work!
pro-active monitoring program
privacy breach response plan

If you need help, contact me. I will help you to sort out all the good things in your practice, point out where you can improve, and might be able to help you with the
heavy lifting to get there. I'll help you to look after the elephant in the room.

Take steps today to make sure your healthcare practice isn't a victim of snooping.

Resources you can use right away

Instant access to Privacy Breach Awareness video, “Can you spot a privacy breach? (What are you going to do about it?)”

Privacy Breach Management

Download 10 Key Steps to Prevent a Privacy Breach

healthcare, privacy breach, snooping, snooping in healthcare;

Keep Your Club Out of Legal Hot Water

Posted on August 31, 2016 by Jean Eaton in Blog

It only takes a little time and effort now to dramatically reduce the likelihood of a privacy breach in the future.
My Toastmaster career started as a charter member of Living Legacy Club and past member of New Entrepreneurs Club in Edmonton.

Toastcaster Speakcast for Toastmasters

Recently, I was a podcast guest on Toastcaster Podcast hosted by Greg Gazin.

It was a lot of fun to talk with Greg about how Toastmaster Clubs can quickly and easily build in privacy awareness with their club officers business practices.

We talked about the 3 simple practical tips every club can use to prevent a privacy breach. This works for every type of club – toastmasters, Scouts, soccer team or book club!

Tip #1: Create an inventory of the data (asset) that your club collects and is now responsible to keep confidential and secure.

Use the inventory like a library account – keep track of who has access to the information, and when it is returned.

The club owns this information – they are responsible to keep the inventory information and could be kept with the annual report of the club.

Tip #2: Create a checklist for the orientation of each new club director that clearly tells them of your club's expectations about how they will keep club and member information confidential and secure.

You can use the checklist as part of the orientation package for club members and officers.

Tip #3: Make it easy for club directors and members to keep information confidential and secure.

It’s not always about technology.

But – you do need a method to ensure that the business records of the club – the members’ information, minutes of meetings, financial transactions, contracts and agreements that you have for events – are maintained in a central location.

This could be on paper. This could be on a private shared network where your directors can save and access all of their Club business records.

It should not be on your director’s mobile device which can be lost, damaged or stolen. Emails should not be on personal email accounts which the club can’t retrieve if the Director suddenly moves from town, is ill, or they loose control of that email account. Don’t let your club directors send club emails using their employer's email account!

Tip – You could create a checklist as part of the orientation for each member and director. It includes the clear and firm guidelines to confidentially and securely handle the business of your club – the do’s and don’ts of how to collect, use, and protect the information of members and the club.

Toastcaster Speakcast for Toastmasters

Discover the top 10 mistakes that healthcare practices, small businesses and even your clubs commonly make with confidential information – and what you can do to avoid them.

You can take these easy to implement steps to protect your healthcare practices, small businesses and even your clubs from errors, omissions or attacks that could result in complaints, fines and even jail time!

Download the FREE report that you can access right away!

Greg Gazin, Jean Eaton; Practical Privacy Coach; podcast;, privacy breach, Toastcasters, Toastmasters

Tips to Protect Your Business From Cybercrime

Posted on August 12, 2016 by Jean Eaton in Blog

“Develop and practice a privacy and security breach management plan. Ask to see your vendors' and contractors' privacy and security breach management plan, too.

Prepare for a cybercrime by identifying your risks and mitigate or prevent those risks from happening.”

~ Jean L. Eaton of Information Managers Ltd.
Contributor “Tips to Protect Your Business From Cybercrime”

Independent healthcare practices and small business owners need to know the important tips to prevent cybercrime attacks.

“Tips to Protect Your Business From Cybercrime” will help you to discover over 75+ practical tips from experts and small business owners to help you protect your small business.

Time spent NOW on basic security will prevent privacy breach pain!

[clickToTweet tweet=”Cybersecurity is for all businesses even if you do not us social medial or a website! #PrivacyAware” quote=”Cybersecurity is for all businesses – even if you are not using social medial or have a website!”]

Many small business think that they are too small to be attacked – not true! Not reviewing your security practices and keeping up to date can leave your small business vulnerable to attacks.

Many independent healthcare providers and clinic owners ask,

I'm a small business. I'm not at risk of cybersecurity, am I?
I can't afford to hire a security expert – what can I do to improve cybersecurity for my business?
What should I include about cybersecurity in my training for my employees?

This e-book includes:

Website Security Tips
Finance Security Tips
Back Office Security Tips
Account Management Security Tips

You need to read this immediately to take your cybersecurity to the next level. Get this Free E-book from “Tips to Protect Your Business From Cybercrime“, a Cybercrime Security E-book created by Microsoft and Small Business Trends!

cybercrime, cybersecurity, healthcare, Microsoft, privacy breach, Small Business Trends

Say ‘No’ to Snooping!

Posted on May 7, 2016 by Jean Eaton in Archive

We don't need more cases of people snooping into patient health records.

We do need employers to implement clear privacy policies, privacy awareness training program, implement monitoring and sanctions when employees or contractors break policies and laws.

Employers who don't do this are breaking the law, violating their professional regulations standards, and opening up the doors for the employers to be fined and even jail time.

What are you doing to improve your policies and training?

If you need help, contact me. I will help you to sort out all the good things in your practice, point out where you can improve, and might be able to help you with the heavy lifting to get there. I'll help you to look after the elephant in the room.

Take steps today to make sure your healthcare practice isn't a victim of snooping.

health care, healthcare, privacy, privacy awareness training, privacy breach, privacy laws, snooping

Protected: Happy Hour Cafe – Are You Prepared?

Posted on April 28, 2016 by Jean Eaton in Uncategorized

CLPNA, privacy breach, privacy breach management, privacy breach management response plan, privacy breach reporting, privacy breach response

1 2 3 4