Last week, the 56 Dean Street clinic in London mistakenly divulged the names and email addresses of 780 patients who had been tested for HIV. The incident is just another example of how human error can compromise businesses, of any size and in any country. Learn what IT service provides everywhere can do to prevent data crises like this.
It Just Takes One Human Mistake
While we typically recommend MSPs write and send newsletters to stay in-touch and gain trust with prospects and clients, as the clinic learned, failing to hide the recipient list is a recipe for a data privacy disaster. In an effort to provide information about its Option E service, enabling patients to schedule appointments and receive test results by email, the clinic sent out what was meant to be a helpful newsletter to those who had opted in, but ended up exposing highly sensitive patient data when the emails were sent in a group and not individually. See below image of the email newsletter:
When the highly respected sexual health clinic discovered their mistake, they recalled the email and apologized publically, promising no further data leaks. As you know, however, once information is out there, it's out there. As a result of a single human mistake, the clinic's reputation has been tarnished. More significantly, the nearly 800 people who may or may not have tested positive for HIV now face stygmatization and false assumptions.
As a result of this huge data breach, Health Secretary Jeremy Hunt has ordered an inquiry into the National Health Service's (NHS) process of managing confidential medical data. The Care Quality Commission will be reviewing existing data security policies, identifying vulnerabilities that could lead to cyber-attacks or data compromises by human error. Although still in review, it can be certain that the commission will attempt to win back public trust by introducing new changes to data protection measures currently in place. While the clinic has already assured the patients who've been affected that it's launching an investigation, many suspect the information commissioner's office (ICO) will do the same.
Legal Implications in the U.K.
As we know from our HIPAA and the Healthcare Vertical Opportunity MSPedia article, if such a breach were to occur in the United States, the clinic, if found guilty of HIPAA noncompliance, could be fined anywhere from $100-$50,000 per violation with an annual maximum of $1.5 million. Conversely, in the UK, the ICO can fine up to £500,000, roughly $771,600 for devastating data breaches that violate the Data Protection Act (DPA). How responsible are the IT solutions providers that serve these healthcare clients, and what standards must they adhere to? Under the DPA, anybody (not just MSPs) who processes data must:
only gather data needed for a specific purpose
secure the data
keep it relevant and up-to-date
only store as much as is needed for as long as it's needed
allow the patient (or individual whose data you're managing) to access this data upon request
You'll also recall from a previous blog post, Getting Up to Speed with European Data Privacy Reform, that the EU Data Protection Directive is Europe's current enforceable data privacy standard. While the DPA does not explicitly address data privacy, it was introduced into British Law as a response to the larger EU directive.
What IT Service Providers Can Take Away from This Calamity
Even though this avoidable disaster took place in the U.K., MSPs everywhere should be on high alert. Human error is a global IT crisis we all need to be aware of. I think that often, we forget about the human component of IT; we become so immersed in policy and process, that we become removed from the people whose data we're safeguarding. Data, in and of itself, seems impersonal until you're reminded just how massively data loss, leaks, and breaches can destroy real people. For the 780 patients who are dealing with real health concerns, privacy and discretion isn't just a right, but a fundamental need. No matter which country we're located in, we're all human, and we all make mistakes. We can accept that. What we cannot accept is letting those mistakes jeopardize a client's quality of life. MSPs must consistently educate users about the behaviors and habits that threaten data security. You must also conduct thorough risk assessments to identify vulnerabilities that clients are not likely to spot. Lastly, you must train your own personel to understand the compliance regulations of any verticals you serve and never assume they're 100% error-immune.
Meet Mary! Mary McCoy is a Demand Generation Programs Manager at Continuum, where she's worked for over two years. Mary primarily manages the MSP Blog and has consulted with hundreds of partners, lending website, blog and social media support. Before that, she graduated from the University of Virginia (Wahoowa!) with a BA in Economics and served as digital marketing intern for Citi Performing Arts Center (Citi Center), spearheading the nonprofit’s #GivingTuesday social media campaign. Like her school’s founder, Thomas Jefferson, Mary believes learning never ends. She considers herself a passionate, lifelong student of content creation and inbound marketing.