University of Florida doctor loses job over breach
Technorati Tag: Security Breach
Date Reported:
5/20/08
Organization:
University of Florida
Contractor/Consultant/Branch:
College of Medicine
Victims:
Patients
Number Affected:
~1,900
Types of Data:
Digital photographs, names, dates of birth, Social Security numbers, and Medicare numbers
Breach Description:
"University of Florida officials will be notifying about 1,900 patients of a UF plastic surgeon that their private health information might have been breached after the information was managed and disposed of improperly."
Reference URL:
Jacksonville Business Journal
WOKV Radio News
First Coast News
Report Credit:
Jacksonville Business Journal
Response:
From the online sources cited above:
JACKSONVILLE, FL -- The private health information of 1900 local patients may have been compromised when a Jacksonville doctor gave his computer away.
Dr. Francis D. Ong, a UF assistant professor of plastic surgery at the UF College of Medicine-Jacksonville, stored unsecured digital photographs of his patients and identifying information -- such as names, dates of birth, Social Security numbers, and Medicare numbers -- on a computer.
The patients involved were treated by Dr. Ong between July 2005, when he joined UF, and December 2007.
Ong then gave the computer to a family he was friends with in late January or early February this year.
[Evan] So, is it safe to assume that Dr. Ong owned this computer? If so, I can think of (at least) three problems that led to this breach. First, the storage of confidential information on a poorly (or less) secured client workstation. Second, the disposal of a client workstation in an insecure manner. Third, the use of a personally owned computer on a corporate (or organization) network.
One of the friends using the computer replaced its operating system, resulting in the permanent loss of most of the patient information.
[Evan] Not true. Formatting and re-installing an operating system will not result in permanent loss of data. Depending on factors such as disk size, amount of previously stored data and location on disk, much of the confidential information could still be retrieved with relative ease.
"The family had installed a new operating system on the computer February 24, so roughly around three weeks after they got the computer and they had destroyed most of the information that was on the hard drives,"
[Evan] See my comments above
According to UF policy, confidential patient information should only be stored in highly secure university servers, not individual computer hard drives.
[Evan] A good policy statement in most cases.
"Dr. Ong's storage of these pictures and related data on this computer and his subsequent transfer of the computer to a family were in violation of University of Florida policy," said David Behinfar, a privacy compliance manager at the College of Medicine.
As a result, UF officials say Dr. Ong will no longer be working with the University of Florida's College of Medicine.
[Evan] This is likely a necessary step taken by the university. It is sad for Dr. Ong, but a policy is only as good as its enforcement.
Ong will be no longer be working at the college by June.
"Dr. Ong has reported that the family members used the computer for their personal use and have said that neither they nor anyone else viewed any pictures or medical information on the computer,"
The computer has been returned to the University of Florida, and the school tells us the risk of anyone using the information for unlawful or mischievous purposes is extremely low.
[Evan] I agree that the risk to the affected individuals is probably low due to the fact that the chain of custody is pretty well known with some amount of certainty. This breach could have been much worse.
"We deeply regret this event and apologize to our patients who it may have affected,"
"We have taken steps to prevent incidents of this type from occurring in the future and are continuing to educate our physicians and staff on our electronic data storage policies."
[Evan] Some information security professionals may argue with me, but I am a big proponent of information security training and awareness programs. In my experience, effective programs pay for themselves.
The UF privacy office mailed letters to patients May 19, which included a brochure offering safeguarding advice and a privacy office hotline number.
Concerned patients of the College of Medicine can call the hotline at .
Commentary:
I was a little surprised to see Dr. Ong's name mentioned so many times in the news reports. It seems to me that Dr. Ong made an honest mistake and likely regrets his actions in this case. This is a classic example that demonstrates the responsibility of data users to learn the information security policies, standards, guidelines and procedures that apply to them during the course of their employment. It is acceptable for an employee to ask questions and seek guidance in areas that aren't clear.
Information security requires cooperation from everyone involved.
Past Breaches:
November, 2007 - University of Florida student info online
Date Reported:5/20/08
Organization:
University of Florida
Contractor/Consultant/Branch:
College of Medicine
Victims:
Patients
Number Affected:
~1,900
Types of Data:
Digital photographs, names, dates of birth, Social Security numbers, and Medicare numbers
Breach Description:
"University of Florida officials will be notifying about 1,900 patients of a UF plastic surgeon that their private health information might have been breached after the information was managed and disposed of improperly."
Reference URL:
Jacksonville Business Journal
WOKV Radio News
First Coast News
Report Credit:
Jacksonville Business Journal
Response:
From the online sources cited above:
JACKSONVILLE, FL -- The private health information of 1900 local patients may have been compromised when a Jacksonville doctor gave his computer away.
Dr. Francis D. Ong, a UF assistant professor of plastic surgery at the UF College of Medicine-Jacksonville, stored unsecured digital photographs of his patients and identifying information -- such as names, dates of birth, Social Security numbers, and Medicare numbers -- on a computer.
The patients involved were treated by Dr. Ong between July 2005, when he joined UF, and December 2007.
Ong then gave the computer to a family he was friends with in late January or early February this year.
[Evan] So, is it safe to assume that Dr. Ong owned this computer? If so, I can think of (at least) three problems that led to this breach. First, the storage of confidential information on a poorly (or less) secured client workstation. Second, the disposal of a client workstation in an insecure manner. Third, the use of a personally owned computer on a corporate (or organization) network.
One of the friends using the computer replaced its operating system, resulting in the permanent loss of most of the patient information.
[Evan] Not true. Formatting and re-installing an operating system will not result in permanent loss of data. Depending on factors such as disk size, amount of previously stored data and location on disk, much of the confidential information could still be retrieved with relative ease.
"The family had installed a new operating system on the computer February 24, so roughly around three weeks after they got the computer and they had destroyed most of the information that was on the hard drives,"
[Evan] See my comments above
According to UF policy, confidential patient information should only be stored in highly secure university servers, not individual computer hard drives.
[Evan] A good policy statement in most cases.
"Dr. Ong's storage of these pictures and related data on this computer and his subsequent transfer of the computer to a family were in violation of University of Florida policy," said David Behinfar, a privacy compliance manager at the College of Medicine.
As a result, UF officials say Dr. Ong will no longer be working with the University of Florida's College of Medicine.
[Evan] This is likely a necessary step taken by the university. It is sad for Dr. Ong, but a policy is only as good as its enforcement.
Ong will be no longer be working at the college by June.
"Dr. Ong has reported that the family members used the computer for their personal use and have said that neither they nor anyone else viewed any pictures or medical information on the computer,"
The computer has been returned to the University of Florida, and the school tells us the risk of anyone using the information for unlawful or mischievous purposes is extremely low.
[Evan] I agree that the risk to the affected individuals is probably low due to the fact that the chain of custody is pretty well known with some amount of certainty. This breach could have been much worse.
"We deeply regret this event and apologize to our patients who it may have affected,"
"We have taken steps to prevent incidents of this type from occurring in the future and are continuing to educate our physicians and staff on our electronic data storage policies."
[Evan] Some information security professionals may argue with me, but I am a big proponent of information security training and awareness programs. In my experience, effective programs pay for themselves.
The UF privacy office mailed letters to patients May 19, which included a brochure offering safeguarding advice and a privacy office hotline number.
Concerned patients of the College of Medicine can call the hotline at .
Commentary:
I was a little surprised to see Dr. Ong's name mentioned so many times in the news reports. It seems to me that Dr. Ong made an honest mistake and likely regrets his actions in this case. This is a classic example that demonstrates the responsibility of data users to learn the information security policies, standards, guidelines and procedures that apply to them during the course of their employment. It is acceptable for an employee to ask questions and seek guidance in areas that aren't clear.
Information security requires cooperation from everyone involved.
Past Breaches:
November, 2007 - University of Florida student info online
Posted by Evan Francen at 5/22/2008 9:32 AM 
Categories: University of Florida, Employee Mistake, Insecure Discard
Categories: University of Florida, Employee Mistake, Insecure Discard
Posts Atom 1.0
Comments