Since my last post I have read of three, and possibly four, data breaches in Massachusetts alone.
The first, reported by the Herald on August 2nd, involved a stolen laptop belonging to biomedical chemist Galen Loving, who is doing cancer research at Massachusetts General Hospital. The computer contained “reams of priceless data on cancer research.” The researcher forgot to retrieve his computer before departing from a Somerville restaurant. He realized the next morning that the computer and the thumb drive he backed up on were all in the same bag that he “mindlessly” left behind. In addition to many of Loving’s papers and presentations, the computer contained e-mails, failed studies and proposed future projects. No mention was made in the article as to whether the lost data contained information protected under 201 C.M.R 17 or HIPAA. And unfortunately, no mention was made of encryption.
The following day, the Patriot Ledger reported that the Town of Rockland disposed of hundreds of intact canceled paychecks bearing bank account numbers and, in some instances, Social Security numbers of town workers employed between 1992 and 2002. The checks subsequently flew out of a disposal trunk and onto the roadside. The Town Treasurer, responsible for disposal of the canceled checks reportedly “didn’t realize they had Social Security numbers” on them and made no effort to shred the documents. The driver for Mike DelPrete & Sons Trucking “assured the town that he would retrace his route and pick up any checks he saw.” The town, however, acknowledged they have “no way of knowing… how many were lost – blown to the wind, down a gutter, on somebody’s hedge.” Employees whose payroll was directly deposited into accounts are reportedly not affected by this breach.
Then just days later, the Town of Hingham distributed via e-mail 1300 employee names and social security numbers to its management. A town official describes the risk to affected employees as “beyond minimal,” but I suspect the owners of the compromised records might feel differently. Of the thirty or so e-mails originally sent out, eleven were forwarded to managers’ personal e-mails accounts and computers, leaving one to wonder: how appropriate it is to have town business stored on personal computers and smart phones that may by less than secure?
Today I wake up to learn that records from four Massachusetts community hospitals were found at a local dump. The Boston Globe reports that thousands of unshredded medical records containing social security numbers, names and addresses, diagnoses, pathology reports including cancer tests and other medical information ended up in a pile about 20 feet wide by 20 feet long at a public dump. Preliminary reports have been made to the Attorney General’s office. The AG’s office says it is reviewing “whether there has been a data breach.’’ It seems the issue has more to do with the extent of the breach and whether the AG’s office is going to give 201 C.M.R. 17 some teeth and start issuing fines. The Department of Public Health will undoubtedly be involved as well as they examine HIPAA and HITECH data protection issues.
Unfortunately, all of these breaches highlight the fact that data security is not just about keeping hackers out of corporate networks. A business’s data security is only as strong as the weakest link. In each of these incidents the weak link is directly tied to employee error. All of these breaches could have been prevented with better employee training, a comprehensive data security plan and properly enforced policies and procedures.