For three years, employee data sat on a former employee's device, unbeknownst to all

On October 24, Rotech Healthcare, Inc. reported a data security breach to the New Hampshire Attorney General’s Office that involved some health information.

According to their letter to the state, on August 30, they learned that a former employee  took some files with her when she left the firm on November 26, 2010.

Those files contained information on employees and their dependents, including names, addresses, Social Security numbers, the names of the carrier(s) administering their healthcare coverage, and/or “limited information about certain medical or pharmacy services the resident received.”

Robin Menchen, Chief Privacy Officer for Rotech, informed the state that the former employee has deleted all information that was on the device and was returning the device to the firm.  A letter to affected employees provides additional information and makes it clear that the removal of the files was discovered by the former employee’s subsequent employer, who found evidence of the files on the employee’s non-networked computer and contacted Rotech with the files. The employee seemed genuinely surprised and assured Rotech that the files had never been accessed or used while they were on the device.

Rotech offered those affected free credit monitoring services and is reviewing their privacy and security protocols to try to prevent a similar situation from occurring in the future. Thankfully for them, the employee’s subsequent employer discovered the breach, but the fact is that they had a breach in 2010 that went undiscovered for three years, and during that time the device could have been connected to the Internet, could have been infected by malware, or could have fallen into the wrong hands. That doesn’t seem to have happened, but it was a risk. And given the increasing use of BYOD, this strikes me as a priority for all firms that store or process personal and sensitive information.

About the author: Dissent