Thursday, February 09, 2006

How does this happen?

Late in 2004 the Canadian Imperial Bank of Commerce made news when West Virginia junk dealer Wade Peer disclosed he'd been receiving confidential faxes from the bank containing customer account information.

Peer said he'd been trying to get the bank to stop because of the nature of the information and because the transmissions were so numerous as to disrupt his business.

At the time I recall thinking, "how does one manage to accidentally fax information to the wrong machine?" Especially in the CIBC/Wade Peer case, where a West Virginia salvage yard would seem to be an unlikely number for a Canadian bank to have in its Rolodex.

Similar incidents have been reported since that story first broke, and now this week we learn that Brigham & Women's Hospital in Boston has been faxing patient data to an investment bank across town.

As with the CIBC case, the recipient of Brigham & Women's faxes attempted, to no avail, to get the hospital to stop.

This is the second high-profile breach of personally identifiable information to come out of the Hub in the last two weeks. We're already following the Boston Globe's disclosure of more than 200,000 credit card accounts.

In the Brigham & Women's case, the breach goes beyond the usual credit data. Yes, published reports say that names, SSNs, and other PII necessary for credit and identity fraud were part of the transmissions, but medical data were also included, including information related to test results for sexually transmitted diseases.

How has Brigham & Women's responded to the breach so far? Not well.

The investment bank says they've contacted Brigham & Women's a dozen times over the last six months, and each time they have been told that the problem would be resolved. But it hasn't. Being called out in the media has gotten the attention of someone at Brigham & Women's, prompting them to issue a statement, which I have not found on the hospital's web site, nor have I been able to find via Google.

Considering the nature of the information disclosed, one would think that a hospital - especially one with Brigham & Women's stellar reputation - would want to reassure past and future patients that potentially damaging information will not be made public as a result of a stay in their facility. For the moment, I'll assume that the hospital is taking steps to identify and contact all affected patients. But apart from brief statements in the press, there is no such evidence.

So how does something like this happen? A clerical error, most likely. The wrong number saved on the office fax happens to reach the wrong fax machine elsewhere but, because the fax report indicates a successful transmission, no one notices. Until that is, the recipient calls the hospital to notify someone. At that point it would seem to be an easy problem to fix: find the erroneous number and change it.

In my opinion, the error is symptomatic of a larger problem: lip service paid to the issue of data privacy, but no pervasive action within the organization to raise awareness of how such breaches might occur. Had the seriousness of this issue been communicated within Brigham & Women's, from the top down through to all levels of the organization, the problem might not have happened in the first place, and would almost certainly have been fixed upon initial discovery.

Recommendation: Training and awareness. Technology is often the focus of data security, but the weakest link in this chain has been shown again and again to be people. And while a hospital clerk may have pushed the button in this case, the responsibility rests at the top of the organization. Without adequate support from the boardroom, security rarely filters down through to where it is needed most. Helping everyone in an organization understand their role in maintaining proper security and data privacy is an organizational imperative, and it starts at the top.


Post a Comment

Links to this post:

Create a Link

<< Home