On Friday (the second best day to report bad news), American Airlines announced that a hard drive had been stolen from it’s Fort Worth headquarters building.
On this hard drive was current and former employee:
- Names
- Addresses
- Dates of birth
- Social Security numbers
- some bank information
Oh, and “No customer data was affected”…whew! I’m sure the employees are grateful.
Things we don’t know:
- Was this a portable hard drive?
- Was this on a computer that was being “thrown out”?
- Was this an actual break-in theft?
- What policies were broken regarding storage of this hard drive?
So, why discuss this non-medical event?
It is another solid example how you can’t overlook anything.
You need to have policies in place:
- Physical security
- Is your server room locked?
- Are patients able to wander from the waiting room to the back without escort?
- Encryption?
- Is PHI stored on portable devices?
- Should your entire server be encrypted?
- Reaction Checklists
- Once a suspected (or actual) data release occurs, what do you do next?
You need to have your act together ahead of time so something like this does not consume every moment of your day and prevent you from generating income.
