The Centers for Osteopathic Research and Education exposure
Technorati Tag: Security Breach
Date Reported:
7/24/08
Organization:
Ohio University
Contractor/Consultant/Branch:
The Centers for Osteopathic Research and Education (CORE)
Victims:
"individuals who have provided academic programming for the medical education consortium"
Number Affected:
492
Types of Data:
Names, contact numbers, addresses, training topics, Social Security numbers and federal employer identification numbers
Breach Description:
"(July 24, 2008 -- Pickerington, OH) The Centers for Osteopathic Research and Education (CORE) removed a Web document last week that inadvertently contained personal information belonging to individuals who have provided academic programming for the medical education consortium. CORE has identified, sent information to and developed resources for the 492 presenters affected."
Reference URL:
CORE Press Release
FOX Channel 28 News
The Athens Messenger
The Columbus Dispatch
Report Credit:
The Centers for Osteopathic Research and Education (CORE)
Response:
From the online sources cited above:
A clerical error led to the online posting of the names and Social Security numbers of 492 people who spoke at Ohio University's Centers for Osteopathic Research and Education, a spokeswoman said.
A college spokeswoman says an Ohio University employee accidentally posted the names and Social Security numbers of about 500 doctors and nurses online and left them there for months.
[Evan] Employee accidents will happen. After all, we are all human. Our job as information security personnel is to limit the frequency and impact of these mistakes. Training and awareness and segregation of duties are just a couple of good administrative controls we use.
On July 16, the centers, known as CORE, removed a spreadsheet that contained the information.
It had been accessible since March 20 and was discovered when a nurse found the information last week while conducting online research.
[Evan] The information was exposed for almost four months. The fact that it was discovered by someone not affiliated directly with CORE adds to the embarrassment.
A document that should have been posted did not contain personal information, according to CORE.
[Evan] Why did the same person have access to both documents? I presume that the exposed document is/was used for tax and tax reporting purposes, so maybe it would be a good idea to limit access to those who handle such tasks. If this employee publishes electronic information for public consumption and handles tax/accounting tasks as part of his/her duties, then CORE might have a problem with segregation of duties, eh?
The document that should have been posted was intended to help CORE’s Residency Program Advisory Committees (RPAC) directors, who coordinate education programs for physicians-in-training and identify and engage medical education speakers. It was not intended to carry personal information.
There is no indication that any of the personal information was misused, said CORE spokeswoman Karoline Lane.
[Evan] There is no indication that CORE is aware of.
"We're just very sorry that this happened," she said.
The person responsible for posting the information was put on paid administrative leave and has no access to the Web site or to CORE data pending a review, Lane said.
[Evan] Does this infer that the employee may be at fault? These things are usually bigger than just a single employee.
In addition to names and Social Security numbers, the spreadsheet included contact numbers, addresses, their speaking topics and federal employer identification numbers.
CORE, based in Pickerington, has sent information to the people affected, posted an informational Web site and set up a toll-free number for questions.
CORE also is offering credit-monitoring service for one year.
"We deeply regret that this error occurred and have moved quickly to verify whose information was involved, send out notifications and establish resources to help the affected individuals," said OU faculty member Keith Watson, CORE board chairman.
[Evan] I do agree and give credit to CORE for their quick notification.
"It is a shame that, in the electronic age, a clerical error can produce such unintended consequences," Watson said.
[Evan] It is a shame, but the electronic age has nothing to do with it. Computers and other electronics only do what they are told (programmed) to do, nothing more and nothing less. The problem(s) that led to this breach are not electronic in nature, they are administrative.
With the help of OU experts, CORE is examining what happened and how it happened.
Within one week of learning about the error, CORE has undertaken the following to assist those whose information was exposed: published an informational Web site (www.ohiocore.org/answers); provided a toll-free call-in number (); and offered credit monitoring service for one year.
Notification letters went out yesterday to all the individuals affected.
CORE is an osteopathic medical education consortium comprising member teaching hospitals, clinical training sites and osteopathic medical schools. The Ohio University College of Osteopathic Medicine is the central academic member of CORE.
Commentary:
It is hard to comment with much precision on breaches concerning human error. I can tell you that most of these types of breaches are the result of poor awareness and poor administrative control, based on my experience anyway.
Past Breaches:
Unknown

7/24/08
Organization:
Ohio University
Contractor/Consultant/Branch:
The Centers for Osteopathic Research and Education (CORE)
Victims:
"individuals who have provided academic programming for the medical education consortium"
Number Affected:
492
Types of Data:
Names, contact numbers, addresses, training topics, Social Security numbers and federal employer identification numbers
Breach Description:
"(July 24, 2008 -- Pickerington, OH) The Centers for Osteopathic Research and Education (CORE) removed a Web document last week that inadvertently contained personal information belonging to individuals who have provided academic programming for the medical education consortium. CORE has identified, sent information to and developed resources for the 492 presenters affected."
Reference URL:
CORE Press Release
FOX Channel 28 News
The Athens Messenger
The Columbus Dispatch
Report Credit:
The Centers for Osteopathic Research and Education (CORE)
Response:
From the online sources cited above:
A clerical error led to the online posting of the names and Social Security numbers of 492 people who spoke at Ohio University's Centers for Osteopathic Research and Education, a spokeswoman said.
A college spokeswoman says an Ohio University employee accidentally posted the names and Social Security numbers of about 500 doctors and nurses online and left them there for months.
[Evan] Employee accidents will happen. After all, we are all human. Our job as information security personnel is to limit the frequency and impact of these mistakes. Training and awareness and segregation of duties are just a couple of good administrative controls we use.
On July 16, the centers, known as CORE, removed a spreadsheet that contained the information.
It had been accessible since March 20 and was discovered when a nurse found the information last week while conducting online research.
[Evan] The information was exposed for almost four months. The fact that it was discovered by someone not affiliated directly with CORE adds to the embarrassment.
A document that should have been posted did not contain personal information, according to CORE.
[Evan] Why did the same person have access to both documents? I presume that the exposed document is/was used for tax and tax reporting purposes, so maybe it would be a good idea to limit access to those who handle such tasks. If this employee publishes electronic information for public consumption and handles tax/accounting tasks as part of his/her duties, then CORE might have a problem with segregation of duties, eh?
The document that should have been posted was intended to help CORE’s Residency Program Advisory Committees (RPAC) directors, who coordinate education programs for physicians-in-training and identify and engage medical education speakers. It was not intended to carry personal information.
There is no indication that any of the personal information was misused, said CORE spokeswoman Karoline Lane.
[Evan] There is no indication that CORE is aware of.
"We're just very sorry that this happened," she said.
The person responsible for posting the information was put on paid administrative leave and has no access to the Web site or to CORE data pending a review, Lane said.
[Evan] Does this infer that the employee may be at fault? These things are usually bigger than just a single employee.
In addition to names and Social Security numbers, the spreadsheet included contact numbers, addresses, their speaking topics and federal employer identification numbers.
CORE, based in Pickerington, has sent information to the people affected, posted an informational Web site and set up a toll-free number for questions.
CORE also is offering credit-monitoring service for one year.
"We deeply regret that this error occurred and have moved quickly to verify whose information was involved, send out notifications and establish resources to help the affected individuals," said OU faculty member Keith Watson, CORE board chairman.
[Evan] I do agree and give credit to CORE for their quick notification.
"It is a shame that, in the electronic age, a clerical error can produce such unintended consequences," Watson said.
[Evan] It is a shame, but the electronic age has nothing to do with it. Computers and other electronics only do what they are told (programmed) to do, nothing more and nothing less. The problem(s) that led to this breach are not electronic in nature, they are administrative.
With the help of OU experts, CORE is examining what happened and how it happened.
Within one week of learning about the error, CORE has undertaken the following to assist those whose information was exposed: published an informational Web site (www.ohiocore.org/answers); provided a toll-free call-in number (); and offered credit monitoring service for one year.
Notification letters went out yesterday to all the individuals affected.
CORE is an osteopathic medical education consortium comprising member teaching hospitals, clinical training sites and osteopathic medical schools. The Ohio University College of Osteopathic Medicine is the central academic member of CORE.
Commentary:
It is hard to comment with much precision on breaches concerning human error. I can tell you that most of these types of breaches are the result of poor awareness and poor administrative control, based on my experience anyway.
Past Breaches:
Unknown
Comments