OUTSIDE VENDORS CONTINUE TO CAUSE SERIOUS DATA BREACHES FOR HEALTH CARE ORGANIZATIONS

While more and more businesses and organizations are instituting proper in house data security and privacy procedures to protect their electronic personal information, outside vendors continue to pose a serious risk for data breaches.

St. Elizabeth’s Medical Center in Massachusetts recently notified over 6,800 patients that their billing information, including credit card numbers and security codes may have been compromised when the hospital’s documents were removed by a vendor from a building scheduled for demolition. The hospital had intended to shred the documents. However, in February five documents from the hospital were found blowing around a field in Charleston, MA. The documents contained cashier’s receipts for credit card payments made by patients at the provider’s facilities. St. Elizabeth’s immediately attempted to locate any additional documents but was unable to do so. While the hospital found no evidence that any information had been compromised, the documents potentially contained their patients’ billing information, credit card numbers and security codes. The hospital determined that it needed to alert all patients whose information had been stored in the office building that was being demolished.

This incident was the second recent health care data breach in the Massachusetts region. In March, CVS Care Mark Corporation announced that it had mistakenly sent letters to approximately 3,500 health care members providing them with other members’ personal medical information. This incident was caused by an unspecified “program error” by CVS’ pharmacy benefits manager.

Both of these incidents demonstrate that organizations must not only institute proper information security procedures to follow for their own employees but also for the organization’s outside vendors who have access to such information. Numerous data breaches and cyber security incidents could be avoided if organizations routinely conducted critical analysis of their personal information protection procedures and policies. The last thing that any organization wants to learn is that their customers’ or patient’s personal information is “blowing in the wind”, so to speak, in a Charleston, Massachusetts field.