Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

9,000 Employee Records Lost

Posted on May 1, 2017 by Jean Eaton in Blog

Do you authorize the use of mobile devices in your healthcare practice? Remember to safeguard privacy on mobile devices and prevent a privacy breach.

You Can Use This Privacy Breach Example to Review and Improve Your Practices

USB Flash Drive Missing

In June 2015, Newfoundland’s Eastern Health Authority (EHA) notified approximately 9,000 employees that their personal information contained in their employee records was compromised when a USB flash drive with their data on it had been lost. The Human Resources department had electronically scanned employee files so that hard copies of the files could be stored offsite.

This loss of control over employee records is a violation of Access to Information and Protection of Privacy Act (ATIPPA) and was reported to the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC).

Missing USB Drive NOT Encrypted

When the EHA discovered the USB flash drive missing, they searched the office and hired a third party specializing in this type of search to go over the office area.

The EHA conducted an internal investigation that included determining the type of information lost. They discovered there was personal information on the USB drive including employee names and some employees’ social insurance numbers (SIN).

The next step was to alert the employees affected by the breach.

The EHA first notified employees with the highest risk of significant harm (ROSH) because of the type of information included in the breach (for example, social insurance numbers) by phone. The remaining employees were notified by letter.

The EHA also provided information to the affected individuals on how to protect themselves from identity theft, and they offered to cover the cost of a credit check for any employee wanting one.

What Came From the Breach

The USB flash drive in question was found in August in a file folder.

To prevent a similar incident, the EHA has taken a number of precautionary steps:

  • EHA plans to upgrade their system, so USB drives are automatically encrypted before being used.
  • EHA has requested that all non-encrypted USB drives currently in use be returned and securely destroyed.
  • EHA is no longer using SIN to index and transfer employee files.
  • EHA also will review and update their policy regarding the issuance, control, and use of mobile devices.

The OIPC determined that the EHA responded adequately to the privacy breach complaint.

Privacy Nuggets That You Need to Know

Step 1 – Spot and Stop – The privacy breach was brought to EHA’s attention by the office that lost the USB flash drive. This is the first step in privacy breach awareness – spot the privacy breach and stop it.

Step 2 – Investigate – EHA identified what information was lost and the individuals affected by the incident.

Step 3 – Notify – EHA subsequently notified the affected individuals directly. The custodian also made the information about the breach public and provided the employees affected with information to protect themselves against any further harm.

Step 4 – Prevent the breach from happening again – EHA took steps to make sure this type of breach doesn’t happen again. Proactive steps—like requesting non-encrypted USB drives currently in use be returned and securely destroyed, and ensuring that only encrypted mobile devices can be used—are reasonable safeguards that all businesses should implement now.

When we know better, we can do better

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

Ready for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”

FREE 15-minute Privacy Breach Awareness On-line Training.

Along with your registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!
Read More

ATIPPA, employee records lost, encrypt, flash drive lost, healthcare, medical, mobile devices, privacy breach, privacy nuggets, risk of significant harm (ROSH), USB drive lost

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"The 15 Day Privacy Challenge has made me aware of the policies that my facility needs to update/create!"

- Rachel Worthing, CHIM, Ontario Shores Centre for Mental Health Sciences

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}