Tri-City Medical Center investigating possible Facebook breach

Date Reported:
5/23/10

Organization:
Tri-City Healthcare District

Contractor/Consultant/Branch:
Tri-City Medical Center

Location:
Oceanside, California

Victims:
Patients

Number Affected:
Unknown

Types of Data:
Patient information

Breach Description:
"Dozens of Tri City Medical Center employees may have shared patient's information in social networking sites without the consent of patients."

Reference URL:
North County Times

NBC Channel 2 News

Report Credit:
Paul Sisson, North County Times

Response:
From the online sources cited above:

Tri-City Medical Center is investigating a possible breach of patient privacy that may have occurred on Facebook, the popular social networking site with more than 400 million members.

Officials did not disclose Friday exactly what information was shared or who shared it, but a rumor began circulating about a week ago that 26 Tri-City employees had been fired or suspended for posting patient information online.
[Evan] 26 employees fired or suspended?!  If this were true, then it is safe to say that Tri-City is taking this very seriously.  I wonder if Tri-City educates their employees on the use of social networking (Facebook, Twitter, MySpace, etc.) and regularly communicates what the organization expects of them.

Courtney Berlin, the public hospital's spokesperson, said there had been no firings or suspensions, but that the hospital was looking into the alleged incidents.
[Evan] So the rumor is that there were 26 fired or suspended employees, by the hospital claims that there are none.  Conflicting reports.  I dunno.

"We're investigating," Berlin wrote in two separate e-mails.

If Tri-City were to find that its employees have shared private health information on Facebook, it wouldn't be alone.

Hospitals nationwide have begun to struggle with what their employees can and cannot share in the massive social site that connects friends, family and casual acquaintances.

Tri-City has had a previous run-in with privacy concerns.

In May 2007, Tri-City fired 10 employees for reportedly taking pictures of at least one patient X-ray without permission.

The firing occurred even though hospital officials said no personally identifiable information was photographed.

"Invasion of privacy is invasion of privacy," says Dean Nelson, director of Journalism at Point Loma Nazarene University. "The laws are never up to date with technology and with the culture."

Nelson, who follows social media trends, says networking sites are throwing some private companies a curve ball.
[Evan] The private companies who have not taken information security seriously and who have not stayed in touch with reality, are the companies who have faced a "curve ball".  Social networking did not just show up a few days ago, it has been here for a few years now (Facebook was launched in 2004).  If you have been paying attention, you may have noticed the rise in social networking.  Wouldn't it have been reasonable to assess the risks posed to your organization?  In my opinion, companies who get caught with less "curve balls" are the companies that stay ahead of the curve.

"Companies are definitely on the forefront of this because they've been embarrassed," he said.

As Tri City continues its investigation, Nelson argues new rules and regulations will soon follow.
[Evan] This is likely the unfortunate truth.  Manage your information security efforts with risk in mind, not rules and regulations.  Then you don't have to worry.

"We have more opportunity to put private information out there for the public, but eventually the company is going to have to figure out how much is too much."
[Evan] I argue not the company, but the individual who owns the data.  The company is merely a custodian and user of the owner's data.

Commentary:
Social media is certainly a risk area that must be explored and addressed in all organizations.  Our (FRSecure's) approach to social media is pretty simple, and we tackle the issue from two perspectives; inside the office and outside the office.  Even if your organization prohibits social networking site access and use from the office, many of your personnel will be using it from home.  In the office we can go as far as prohibiting all access, but at home we can't do that.  At home, the dynamic has changed.  We can't prohibit social networking access at home, but we do have some say in what information our employees can share about our organization and its customers.  The fundamental question is what will you allow and what will you not allow? Document your requirements in policy and seek controls that will allow you to enforce and monitor compliance.  At the same time, keep in mind the two perspectives.  Don't forget mobile device access either.

The numbers and impacts of breaches occurring through social media are real.  The problem will only continue to grow in the coming years.  If you haven't addressed this issue, do so now!

Past Breaches:
Unknown


 
Trackbacks
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment