Oops: a breach notification revealed too much
When Drexel University College of Medicine experienced a breach due to the theft of a computer, they notified states attorney general as required by various state laws.
But because only one resident of Maryland was affected by the breach, Drexel included a copy of the notification letter to the patient when they notified the Maryland Attorney General’s office. And by doing that, they compounded the privacy problem for one patient.
When Maryland made all breach notices available on the web, I was going through them to locate breaches that had not been disclosed or reported in the media. And in reading Drexel’s breach disclosure, I realized that the failure to redact the patient’s name, address, and some information about the breach had produced another privacy problem. Rather than posting the breach to PHIPrivacy.net, then, I delayed, called Drexel, and informed them of the problem. They promptly contacted the Maryland Attorney General’s office, who removed the file from the web.
Now that the file has been removed, I can report the breach. A redacted copy of their notification letter to Maryland can be found here, but Edward Longazel, Drexel’s Chief Compliance and Privacy Officer provided me with additional details when I spoke with him.
Longazel informed me that the problem occurred because a contract worker created a spread sheet to show what work she had done that day. The spread sheet included the names of patients and their Social Security numbers or dates of birth and was created on a computer that was not supposed to contain any data at rest. Not only should the worker not have created the file, but she should not have been using Social Security numbers, and during the day, when she overheard someone else being trained that SSN were not to be used, she switched to using dates of birth.
At the end of the day, she emailed the spreadsheet to her supervisor and then shut down the computer without deleting the file. The computer was stolen.
According to Longazel, less than 250 people were affected by the theft, and there were no addresses or financial information in the stolen computer.