Browsing articles tagged with " Data Protection"

B.C. Health Ministry Data Breach Affects Millions

Jan 16, 2013   //   by Karen Lopez   //   Blog, Compliance and Regulation, Data, Data Breach  //  1 Comment

USBBottleOpener - Karen Lopez

News about yet another health data breach comes, with millions affected.  The largest breach of about 5 million people involves yet again, a USB drive.

I could see why a CIO would want to order the disabling of all USB ports on corporate computers. Then will someone is going to come up with a “USB Drives Don’t Breach Data, People Do” solution?

I’m still wondering why the tech community can’t come up with a solution to this ongoing attack on people’s data.   In these cases, is it that the employees just didn’t care about the people? Were they feeling pressure to just get the job done?  Did they not know that sensitive data was on these devices?  Perhaps they were just sharing one of their USB bottle openers like the ones I collect?

– June 2012: The health data of about 38,000 individuals was shared with a researcher. The data was linked to Statistics Canada community health survey information. The disclosure of the information breached an agreement with the federal government.

– June 2012: A USB stick which contained a plain text file of 19 types of health data was provided to an authorized ministry contractor. The file included personal health numbers and health conditions – such as Alzheimers – for about five million individuals over several years. Against policy the data that was neither encrypted or made non identifiable.

– October 2010: Health Ministry data containing the personal health numbers of about 21,000 people – with diagnostic information for about 262 chronic diseases conditions – was shared on a USB stick with a researcher without a request being approved.

via B.C. Health Ministry data breach affects millions – 38,000 will receive letters – Local – Times Colonist.

Disabling USB ports seems like the wrong approach.  Right now I’m leaning towards criminal prosecution of people who are careless with our data.

Love your data.  Because it’s really our data.

An Audible Data Privacy Breach

Jan 2, 2013   //   by Karen Lopez   //   Blog, Data, Data Breach  //  3 Comments

 

image

RI labor dept. warns of possible privacy breach.

I think about data encryption, physical access controls to servers and such on a regular basis. But there are all kinds of formats via which data gets stored or communicated.  The Rhode Island Department of Labor recently had a data breach involving their call center.  Customers were able to hear conversations on other calls.  The department estimates fewer than 700 people were affected.

  • Paper forms in which data is originally collected.  Think membership forms, applications, feedback and suggestion forms.  I remember seeing a binder full of membership forms being used to prop open a door on the sidewalk in front of a store.  When I pointed out to the manager that this was a problem, he shrugged and said it wasn’t a problem because all the data had already been keyed in and therefore no longer had any value to them except when the systems were down.
  • Video and photographs.  The advent of video analytics and photo analysis means that we are collecting, storing, and putting at risk more data than ever before.  I remember seeing a retailer’s security video tapes sitting all lined up on a counter at the back of a store.  The only thing that made this somewhat safe is that most likely the security system was probably so poor it would be impossible to determine who was on those videos.  But now video analytics allow retailers to determine when you visit their store, who you shop with and what products interest you.
  • Conversations.  Yes, all those "may be recorded for quality purposes" call center calls are most likely chock full of your personal information.  I worry how well those data sets are being protected, too.

I believe our role as data professionals should go beyond protecting the data held in a traditional database.  Because I’m not sure anyone else is even considering that data.  And I’d bet the bad guys are betting that no data professional is involved in protecting it.

Love your data.  Love your customers’ data, too.

How Safe is Your Medical Data? You Don’t Want to Know…

Feb 18, 2012   //   by Karen Lopez   //   Blog, Data, Data Breach  //  1 Comment

So you live in a country that has legislation requiring your health data to be protected and you believe it’s all safe.  If you live in the US, think again.

SNAGHTML10cd2c55

According to a study by Ponemon Institute sponsored by MegaPath:

  • 91% of small healthcare organizations (think your local doctor, dentist, optometrist or clinic) had experienced a breach of protected health information (PHI) in the previous 12 months; of those, 29% resulted in medical identity theft
  • 52% of small healthcare providers rated their security technology plans as ineffective
  • 43% had experienced medical identity theft in their organizations
  • 55% of respondents had to notify patients of a data breach in the previous 12 months
  • On average, less than 10% of the respondents’ IT budgets are spent on security

You can register and download the entire paper at http://www.megapath.com/solutions/industry/healthcare/study/

I found this table the most interesting discouraging:

image

From a data governance and data protection point of view, I’d really expect to see ALL of those be 100%.   My doctor recently moved to mostly electronic health records (as have most in my province), but I’m wondering what his answers to all of these questions would be.  When I think about the 91% data breach numbers, I see this table as one of the key reasons that number is so high.

Even if you aren’t in a health-related organization, I’d expect your numbers to be higher.  63% backup and disaster recovery plans? How can we call ourselves professionals when this is life-critical information?  Ultimately it is organization leadership who are responsible for protecting data.  But I’ve always been concerned about how far we data professionals should go in ensuring that the public is protected from harm when data polices and practices are not sufficient.  Should we not move to other projects? Report bad practices?  To whom?

This is a US-based study and I’m curious about similar numbers in other countries with and without health data privacy legislation.  If you have links to other sources, please provide them in the comments.

Subscribe via E-mail

Use the link below to receive posts via e-mail. Unsubscribe at any time. Subscribe to www.datamodel.com by Email


Recent Comments

Categories

Archive

UA-52726617-1