Protect Your Association from a Privacy Breach

Date Posted: February 19, 2016

Let’s face it, privacy breaches DO happen and they are scary. They are also preventable and able to be prepared for to minimize damage caused by a breach. A privacy breach is when there is unauthorized access to, or collection, use, or disclosure of, personal information. It’s basically the robbery of the right to the privacy of personal information.

Breaches in the Health Industry

Some small-scale privacy breaches, unfortunately for the victims, go unreported, but luckily some get caught. An example is a healthcare worker posting a comment on Facebook about a patient’s behavior during a procedure. There was also one where a patient’s relative overheard a Toronto doctor openly chatting on his cellphone about the patient’s personal details at a pizza joint. Yes, while standing in line in public for pizza.

Toronto’s former mayor Rob Ford even had his privacy breached through two health professionals snooping his medical records.

There are cases that have happened closer to home. In Edmonton, Alberta in September 2013 a laptop from a Medicentre was stolen and it unfortunately had unencrypted personal health information. The approximate amount of Albertans affected was a whopping 620 000. Many Albertans were appalled that their information was stored unprofessionally on a laptop that was able to be stolen. As you see breaches can happen through non-confidentiality by a doctor and the loss of physical documents, but today we’ll be focusing on digital privacy breaches, such as the laptop case.

Who Would want to Breach Privacy?

A privacy breach can be accomplished by a variety of people or groups people. Some are listed below:

Vengeful employees (yes, CURRENT employees)
Angry ex-employees (internal data breaches, which we will touch upon)
Third parties
Virus or malware
People you’ve agreed to share information with
By company’s own error, such as emailing personal information to the wrong people
A broken system that left information open to the world

Yes, it does sound like you can’t trust anyone, but this isn’t the case! Once you thoroughly think of all the ways a breach can occur, it’s just a matter of doing all the means to prevent them. This won’t keep you 100% protected from a privacy breach, because that is impossible, but it will protect you well.

What’s the Damage of a Privacy Breach?

Well, it can get extremely costly, of course, in relation to the size of your organization. According to a global analysis done a year ago, the average cost of a data breach was around 3.5 million US dollars. American Health Care industry data breaches cost nearly 1.6 billion US dollars each year.

Not healthcare related, but remember Target? The last one in Canada just shut down a couple weeks ago, but they are well-known for being successful in the US. In December 2013 they had a data breach that resulted in the theft of personal information of up to 110 MILLION CUSTOMERS! Each customer can receive up to $10 000 US in damages, but they must provide proof (ie. credit card statement). Target has so far proposed to settle class actions by paying $10 million US, but we won’t find out if it has been passed until November 2015.

The monetary cost to fix a privacy breach is not the only damage that occurs. There is also the punishment of those involved and for some organizations, this can unfortunately mean firing their employees. In between 2011-2012 almost 300 patient records were looked at by seven staff members without permission at Peterborough Regional Health Centre. This Health Centre performs abortions which many women keep confidential, many times even from loved ones. Many felt betrayed that their records have been snooped on, giving patients a negative perspective on this Health Centre. Those seven staff members have since been fired.

There are tons and tons of case we could show you, but more importantly we want to help make sure you prevent this from happening to your association.

How Can I Prevent a Privacy Breach?

You will never be 100% safe from a privacy breach. As mentioned earlier, there are employees that can suddenly feel the need to snoop around in a member’s personal records or even accidentally cause a breach, but it is outsiders that you should protect your association from most, as they historically seem to be able to do the most damage.

Firstly, you need to do a review of your current data storage and access system. Kind of like a spring cleaning. You should know what information your College or association is keeping…do you need all of it? There is no need to have excess information because it only means more storage space taken away from your server or cloud and more information that can be stolen during a breach. Be a minimalist, only take what you need. When you know your data, you can protect it even better.

Internal Protection

You should find out who has access to information in your association. Do they all need access? What are they doing with this information? You don’t need to grant all staff members with access to all the information. Keep it minimal if it doesn’t interrupt their productivity. This can help lessen the damage of a possible breach by not making all the data available to all employees.

Training staff about the importance of privacy, confidentiality, security, their access, responsibilities, and the consequences of failing to take on those responsibilities are very important. With training, employees become accountable.

When an employee quits or gets terminated from the association, ensure that you have a termination policy and follow it! That policy should ensure that all of their passwords are changed or user accounts disabled and common access to systems is terminated immediately. You should also make sure your passwords are extremely unique, possibly containing a combination of upper and lower case letters, numbers, and even a punctuation character here and there. Make sure you are using different passwords for all accounts, that way if an employee/ex-employee or even a hacker has access to only one account, you only have one password to change.

It will also probably be difficult to keep track of all these passwords, so a password management system will come in handy. Management systems such as LastPass and 1Password also keep your passwords in encrypted storage, so you don’t have to worry about THAT being hacked.

External Protection

Methods to avoid breaches that you can do to protect your data from outsiders should include:

Making sure to encrypt mobile devices like smartphones, tablets, laptops, etc. is important, as mentioned in the Edmonton Medicentre case above. If there is a loss or one of these is stolen, it will be extremely difficult for someone to break in and see your data.
Do not reply to phishing emails. If it looks legitimate, still contact your association first and confirm.
To prevent even worrying about a privacy breach due to the loss or theft of a portable device, it’d be ideal to not even store important data on portable devices. We find that this is helpful to include in your association policies and training.
Whenever doing business with another organization, research and also ask what kind of security and privacy policies they enforce. If they require your data for a service, do they destroy right after? Things to think about.
Also, only share NEEDED information to a third party. Nothing more. Being lazy and handing over a full spreadsheet of sensitive data can hurt your organization, especially if you cannot monitor its use.
Do a scheduled review – every 6 months to a year, review your privacy policy and make sure all devices adhere to the policy.

If you have any questions or comments, please leave them in the comment section below! We will also gladly take any tips that may be missing from the list above! Have a great day!