Email Blunder Exposes Identity of 780 HIV Patients in the UK
Healthcare organizations face a myriad of security threats. But the news this week about a UK clinic exposing the identities of 780 HIV positive patients was a purely self-inflicted wound.
There are plenty of challenges facing healthcare IT organizations out there. The attacks on major health networks in the U.S. including Anthem, Premera and Community Health Services signal that hospital networks and insurers are in the crosshairs of sophisticated adversaries. Similar trends have been seen outside the U.S., as well.
But while sophisticated and stealthy attacks on healthcare providers may be on the rise, news out of the United Kingdom this week reminds us that, often, the cause of a damaging and embarrassing data breach is all too easy to spot.
As the Guardian reports, the UK’s National Health Service found itself apologizing this week for an embarrassing breach at a London clinic that exposed the identities of some 780 HIV patients. The cause of the breach was an all too common mistake: the “cc” field on an e-mail message.
According to UK health secretary Jeremy Hunt, a staff member at the Dean Street clinic in London sent a newsletter for patients using the clinic’s HIV and sexual health services with the names of recipients pasted into the “cc”(or carbon copy) field rather than the “bcc” (blind carbon copy) field.
It’s an error that is familiar to any modern office worker. However, in this case the stakes were high. UK officials have warned that medical records are of particular interest to cyber criminal gangs there which hope to leverage the information they contain to enable identity theft scams or even blackmail and extortion campaigns.
The stakes are high for healthcare firms that experience a breach, as well. Insurers are pushing back on damages claims when there is evidence that a provider failed to fulfill its responsibility to protect sensitive patient data. The failure to take steps to prevent simple errors like the cc/bcc confusion might be cited by an insurer in denying a claim.
Clearly there are many possible remedies to inadvertent leaks like this. Email marketing products make it a simple matter to distribute newsletters to customers or patients while also protecting the identities of your subscribers. Even barring those powerful and inexpensive services, simple application logic can be used to warn senders when they have pasted a long list of recipients into the “cc” field and ask them to confirm their decision to do so. Finally, data leak prevention tools can protect lists of patient names from being transmitted outside of an organization.
Hunt, the UK’s health secretary, said that country’s Care Quality Commission would conduct an independent review of the effectiveness of existing data security measures in the NHS and recommend changes. One object of that inquiry would presumably be to close technical loopholes that allow inadvertent data loss incidents such as this, as well as to beef up protections against cyber attacks, he said.
It’s likely that it wont take long for those investigators to get to the bottom of this incident. The bigger question is what steps they will take to remedy it and to address the larger, structural problems that make healthcare providers so prone to hacks and mishaps.