A Tale of Breach Notification Blunders
Health System Addresses Some Victims as ‘Deceased’
… “Responding to patients about a data breach is a huge responsibility, and organizations must take additional precautions to ensure that it is handled properly to avoid further mistakes,” says Susan Lucci, senior privacy and security consultant at tw-Security.
“Without proper oversight and testing of the planned response process, mistakes can and will happen as we have seen before. Trusting technology without testing and careful review of the steps in place is risky. Trust but verify before letters are sent out.”
Lucci says entities should take a number of critical steps to avoid breach notification mishaps.
“If a large breach requires notification of hundreds or thousands of individuals, be involved every step of the way. Do sample reviews of the data. Think outside the box, using a ‘what could potentially go wrong with this?’ process,’” she says.
For example, if an organization is going to use a master patient index, or MPI, for mail merge processes, it must first examine whether the MPI was recently updated. “Is old information in there that is not applicable to the data breach? Are duplicate records present where an individual could receive multiple notifications?”