14 DAY TRIAL // Information leaks should not always be blamed on hackers taking advantage of weak security systems. This sort of incident sometimes occurs because of the carelessness of employees that manage somehow to place the sensitive details in the wrong inboxes.
This is the case with private health info of more than 20,000 children that benefited from treatment at Rady Children’s Hospital in San Diego. It seems that all this data was sent, by mistake, to the email addresses of job applicants.
U-T San Diego reports that the hospital employees managed to do this mistake not just once, but twice.
The first batch of details, which was enclosed in a spreadsheet file, contained information about 14,121 patients, consisting in names, dates of birth, primary diagnoses, admittance and discharge dates, medical record numbers and other details like insurance claim data.
This was sent to the email inbox of four job applicants, who, in turn, forwarded the file to another two individuals. As such the details were exposed to a total of six, but two of them could not open the document.
While investigating this incident, the hospital representatives said that they found evidence of a similar leak, this time with info on 6,307 patients, registered for treatment between June 30, 2009 and June 30, 2010.
The details leaked to third-party individuals contained names, discharge dates, the locations where they were treated, and account info (name of the insurance company, outstanding balance).
The spill was larger in this case because, besides sending the info to three candidates, six more were able to access it when they took a test on the company’s computers.
Sensitive and confidential details should always be protected and stored securely on systems that are not accessible from any computer in the building, and certainly not without authentication.
A spokesperson for Rady Hospital, Ben Metcalf, told U-T that the first leak happened because the employee attached the wrong file to the email for the candidates. He explained the second incident by saying that the employee “did not realize that the information constituted protected health information.”
He also said that in both cases, the intended purpose of the files for the job applicants was to judge their skills as part of the hiring process.
In order to prevent such embarrassing cases in the future, Metcalf announced that the hospital reviewed the evaluation process of the candidates and imposed the use of only validated testing programs.
Furthermore, the employees are to improve their computer skills and ability to recognize confidential information through new training processes.
The parents of the children affected by the incident have been notified of the data leak via email.