I read this article from TheRegister with mild interest:
“Medical Data Experiment goes horribly wrong: 950,000 records lost” – http://www.theregister.co.uk/2016/01/27/centene_loses_95000_medical_records_on_six_hard_disks/
Ok, so yet another ‘company loses personal data, warns as a precaution’ story. In this case, six hard disks apparently containing personal health information of around 950,000 people.
So my initial thought was something along the lines of “are people really misplacing whole hard disks still in 2016”?
Personally, I suspect it is more likely an accounting problem rather than a physical loss – they are probably labelled up wrong, or left in a drawer somewhere, or have been re-used and nobody noticed, that kind of thing. But it is interesting to look at the phraseology of two consecutive press releases from the company involved (no, I’m not quite why I looked them up either – but I did!).
On the data loss:
“Centene has determined the hard drives contained the personal health information of certain individuals who received laboratory services from 2009-2015 including name, address, date of birth, social security number, member ID number and health information. The hard drives do not include any financial or payment information. The total number of affected individuals is approximately 950,000.”
Fair play – they are admitting their mistake and attempting to do the right thing:
“Notification to affected individuals will include an offer of free credit and healthcare monitoring. Centene is in the process of reinforcing and reviewing its procedures related to managing its IT assets.”
Otherwise, without openness and honesty around such issues, how can lessons be learned?
But the following day, the next press release announces their financial results for the year:
“On January 25, 2016, the Company announced an ongoing comprehensive internal search for six hard drives that are unaccounted for in its inventory of approximately 26,000 information technology (IT) devices. This incident resulted from an employee not following established procedures on storing IT hardware. While we cannot estimate the impact with certainty at this time, the Company does not expect the impact of the incident to have a material effect on its future growth opportunities, financial position, cash flow or results of operations.”
Yes – they don’t expect the fact that 950,000 people’s personal health details going missing will affect their financial position now or in the future.
I guess that answers the question of why it is 2016 and companies still lose whole hard disks of personal information. If there is minimal financial impact, it is good business sense for them to keep their procedures at the minimum deemed necessary – that is just sensible business risk-management. In fact the whole ‘free credit and healthcare’ monitoring could be seen as a cost effective insurance policy against possible loss should it occur, compared to the costs of labour intensive, fault-free asset management to prevent any chance of loss up front.
These things will only change when the impact of the issue impacts the companies involved much more significantly, rather than just ending up a problem for the people whose data is lost.
In the UK, I guess we have the Information Commissioner’s Office guidelines for handling data and ability to set fines, but even this misses the point for me. A fine is after the fact and with so many charities and volunteer organisations (cough, Scout National database) storing personal details, a significant fine would end up burying an organisation and an insignificant fine is largely pointless. But either way the data will still be lost. So the answer to this one is really education – so to that end, the ICO Guide to Data Protection is great – but unless someone is actually auditing and proactively educating organisations, or perhaps more appropriately companies now selling online services to organisations, on these principles, I suspect we’ll keep seeing problems occurring.
As we see massive growth in companies providing online payment services (ParentPay, SchoolMoney, PaySchool and so on) information and content management (dbPrimary, Google for Education, etc), communications and mailing services (ParentMail, etc), biometric authentication (40% of secondary schools apparently), online learning, and so on to education and charities, more of our data ends up online regardless of the fact it might not be us putting it there! For a cash-strapped organisation, managing an offline and online database isn’t going to happen. You might not use their online system, but your data will be there as they’ll be using it themselves.
The school use of biometrics is particularly worrisome – many kids may have their biometrics compromised before they are even old enough to decide for themselves if they want to hand over their biometric signatures to any company.
Fundamentally, at present, all the risk from a company storing your data is on you, not them. Until that risk balance is addressed, I guess we will stay at the mercy of “bottom line (non-)impact” reporting. And whilst it is convenient and cost-saving for organisations to use more of these online services, our data will keep being stored who knows where and there is very little we can do to stop the tide of information uploading.