<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=4052188&amp;fmt=gif">

ron arden guest blogger signix digital signaturesToday we've got a guest blog post from Ron Arden, the Vice President of Strategy & Marketing for eDocument Sciences. Ron is joining us today to talk about the consequences of a data breach.

Organizations are getting very serious about how they react to a data breach of confidential information. On January 10, 2013, an employee of a contractor who processes Medicaid prescription transactions lost a USB drive with about 6000 patients’ names, Medicaid identification number, age and recent prescription drug use history. Less than a week later, she was fired

The organization affected was the Utah Department of Health. It uses Goold Health Systems to process pharmacy claims for Utah’s low-income health program. The breach occurred because a Goold employee copied a report containing the confidential information on 6000 Medicaid enrollees to an unencrypted USB drive. She left the company facilities with the thumb drive in her possession. She copied the report to the thumb drive because she was having trouble uploading it to a secure file server, which is the normal process. She planned to upload it later. According to Goold, doing this is against company policy.

getting fired because of a data breachThere are numerous problems in this scenario.

The first is the employee didn’t realize copying personal health information (PHI) onto a thumb drive was against company policy. I don’t if that’s true or not. Maybe she knew, but thought it was no big deal. If she didn’t know, then the company has a serious training problem. Anyone dealing with PHI or any sensitive data needs to be trained on proper handling of the information. If she knew and did it anyway, the training isn’t very effective. Someone besides the employee may need to be held accountable.

The next problem is that confidential information is not encrypted. At a minimum, the company should either restrict copying information to a USB drive or all USB drives used for company business should be encrypted. 

A better approach is to encrypt the document itself rather than relying on people to use encrypted devices. When the employee created and downloaded the report, a persistent security policy should be applied to the document. The security policy defines who can view, edit, print, copy and save the file. If the employee copied an encrypted file to a thumb drive and lost it, there is no data breach and no problem. According to HIPAA regulations, if the information is encrypted, there are no data breach reporting obligations, since no PHI has actually been released.

If a sensitive document accidentally gets into the wrong hands, the information in it is worthless. It looks like random characters unless the person reading it has the appropriate access rights. As soon as Goold realized they had a potential data breach, they could have immediately revoked access to the document. This effectively kills all access to it.

Goold may be liable for penalties and legal action under Utah data breach legislation and HIPAA. It’s possible that the thumb drive was thrown into the trash and no one will ever see it, but it’s also possible that someone may find the information and use it for identity theft. Either way, the laws are fairly explicit.

Violating policy on PHI is serious business. In this case it got someone fired. Anyone dealing with protected information needs to encrypt it to prevent a possible data breach.

 

download our white paper on the differences between digital signatures and electronic signatures

You may also like

Automation of Standard Operating Procedures (SOP) Streamlines Clinical Trials
Automation of Standard Operating Procedures (SOP) Streamlines Clinical Trials
28 August, 2015

Using e-signatures to expedite transactions is one of the surest ways to generate immediate efficiencies within clinical...

SIGNiX Independent E-Signatures™ Featured in Applied Clinical Trials 
9 September, 2015

The need for speed in clinical trials is astounding. A report by Ronald D. Snee of Tunnell Consulting found each day a b...

CMSWiRE Talks Founding Fathers and E-Signature Independence with SIGNiX
CMSWiRE Talks Founding Fathers and E-Signature Independence with SIGNiX
19 June, 2015

We dream big dreams here at SIGNiX—especially if they involve a bit of time travel. Imagine if, in 1776, the Declaration...