Ireland's HSE caught in another breach
|
Date Reported:
10/17/10
Organization:
Health Service Executive ("HSE")
Contractor/Consultant/Branch:
Undisclosed "private IT contractor"
Location:
Dublin, Ireland
Victims:
Patients
Number Affected:
1,500
Types of Data:
"sensitive health records"
Breach Description:
A private IT contractor working on behalf of the HSE brought senstive health records belonging to patients home with the intention of working with them and emailing them back to the HSE office. The private IT contractor accidentally mistyped the recipient email address and sent the information to another government agency, resulting in a security breach.
Reference URL:
Sunday Independent
Report Credit:
Roisin Burke, Sunday Independent
Response:
From the online source cited above:
Hundreds of patient records were seriously compromised by a major security breach at the HSE, the Sunday Independent has learned.
The 1,500 sensitive health records were removed from a Dublin office and emailed to an outside organisation.
A private IT contractor, who was being overseen by a HSE staff member, downloaded the records on to an unencrypted USB key -- something that is absolutely forbidden in the HSE's own protocols.
[Evan] Did the HSE staff member or the private IT contractor know that they were breaking the rules, or are they just ignorant? Let's suppose that the people involved knew that they were breaking the rules, or at least doing something that isn't right. What motivates them to perform the risky behavior when they know it ain't right? Do you suppose that copying the data onto a flash drive and emailing the data back to the office was an easier way to perform their job than whatever compliant solutions were made available? My guess is yes. Information security professionals not only need to restrict certain types of risky behavior, but we also need to provide less risky solutions that still enable work to be done. Information security professionals need to understand what motivates employee/contractor compliance and incorporate a cooperative approach to the risk. It is ineffective to write policy all day and expect people to comply. The problems here are larger than this single incident.
The contractor took the private health records home to work on overnight -- again a serious breach of the health authority's procedures.
[Evan] Just because we write a procedure does not mean anyone is going to follow it.
Intending to email the records on the memory stick back to the HSE, the contractor mistyped the address and instead accidentally emailed them to another State body.
[Evan] So the fact that the flash drive was unencrypted is immaterial in this particular breach.
The security breach was only discovered when the public body involved alerted the HSE.
This serious compromise of client records "has rocked the HSE", a source told this paper.
The internal investigation into it has involved several senior HSE figures and is being considered a "major wake-up call" for the data leak-prone authority.
[Evan] There have been many breaches at the HSE. What makes this wake-up call any different than the others.
The patients involved this time have not been informed that their private information has been jeopardised.
The Data Protection Commissioner has cited the HSE several times in his reports and is said to be investigating why yet another leak has occurred.
Data security is a major headache for businesses and public bodies.
[Evan] It may be a major headache for some businesses, but it certainly is not for all. There are painless approaches to information security that enable business, but unfortunately many businesses are misled. Check out FRSecure's Guiding Principles in Information Security
The HSE has yet to respond to requests for comment and information on the incident.
Commentary:
Comments above. I have much more to say, but I don't want to bore you in this post. Contact me if you would like to chat more.
This article was posted to The Breach Blog by
Evan Francen, President at FRSecure LLC
About FRSecure
Past Breaches:
Numerous
Posted by Evan Francen at 10/19/2010 4:21 PM 
Categories: Health Service Executive, Employee Mistake
Tags: data breach third-party security security breach email security
Categories: Health Service Executive, Employee Mistake
Tags: data breach third-party security security breach email security
Posts Atom 1.0
Comments