Privacy Incident: Ohio Board of Nursing Exposes Personal Information of 3,031 Individuals

The Columbus Dispatch reported today, “OHIO BOARD OF NURSING Error puts nurses‚Äô personal data online.”
Reportedly over the past two months the “names and Social Security numbers of 3,031 newly licensed nurses were posted online twice.”

It was not caught by the the Ohio Board of Nursing, but they were alerted for the second incident by one of the nurses who found her SNN out on the website.
I discussed responding to privacy breaches in my webinar, “Anatomy of a Privacy Breach” this past Tuesday; a significantly large amount of incidents are not discovered internally, but are reported to organizations by people outside, such as customers, the general public, news media, and so on. This demonstrates a huge lack of controls over personally identifiable information (PII) along with a lack of procedures to properly identify when something bad is going on with PII…when incidents occur. In fact, a 2006 Ponemon Institute survey of corporate privacy practices revealed 1/3 of companies have no breach response plan, and 30% of all breaches were reported from outside sources.
As computers and data becomes more mobile, more breaches will occur. As increasingly more technologies are being used, more breaches will occur. As PII is put into the possession and care of increasingly more people, more breaches will occur. The time of having all the PII in an organization centrally located in one database on a tightly secured mainframe is pretty much over. Organizations must be prepared; they must have controls in place, procedures to consistently apply the controls and to identify incidents, and this includes having a documented security incident and privacy breach identification and response plan.

“a board employee accessed a government database while preparing a report but failed to remove the Social Security numbers before posting it.”

This happened twice, from November 14 – November 27, and from Janary 12 to January 16.

“The employee has been disciplined, Houchen said. “The board is very sorry for this mistake, and we are concerned for the licensees and any impact our error could have on them,” she said. The board sent letters to the nurses on the lists explaining the mistake and warning them to monitor their credit reports.
Other groups, including Ohio University and Ohio State University Medical Center, have either posted personal information online or have had information stolen from their computer systems, and in such cases have said they will pay for a year of credit monitoring for the victims. This week, Nationwide announced that the personal information of tens of thousands of customers had been stolen. Nationwide also offered to pay for credit monitoring.
The nursing board, however, said it won’t pay.
“We don‚Äôt have any confirmation of any misuses resulting from the error,” Houchen said. “There were about 64 hits on that link and those could have been from our staff.” “

Wow; talk about a very bad statement to make to the press! They are concerned about the impact of their error, but they are not going to do anything about it!
They make a mistake…TWICE…and put PII of over 3,000 nurses at risk, and since they think since THEY have not confirmed misuse that they do not need to be responsible for the impact on the individuals. They are telling over 3,000 people that the victims must now pay for credit monitoring services for THEIR ORGANIZATION’S mistake!
Gee, what if this were the attitude and decision of everyone?
What if locksmiths who had lost all their labelled keys that they made for 3,000 homes told those homeowners, “Shucks, we made a mistake. You’d better watch out now, though, and install some good burgler protection in your homes cuz we don’t know who might have a copy of your key and sneak into your house to steal you blind at night…or even worse…while you sleep.”
What if a payroll company did the automatic deposits for the employees of the Ohio Board of Nursing? What if they made a “mistake” and posted all the employee checking account information on their Internet website for a couple of months, then told them, “Garsh, sorry, we had one of our website visitors tell us all your checking account information was posted for everyone to see for a couple of months. Heck, it was just a mistake, and we’ve given the person who did it a good talking to! Oh, by the way, you’ll probably want to change your checking account and enroll in credit monitoring because no telling who has your information now, and you don’t want someone siphoning out your life savings. It will probably take you a lot of time, and you may have already lost a ton of money, but know that we are sorry it happened, and that it was just a mistake!”
Wonder if they’d feel differently if they were put into the impacted individuals’ shoes?
They apparently do not understand or realize that just because there were “about 64 hits on that link” doesn’t mean that information was not mirrored on another site…or multiple sites…somewhere else waiting to be misused. It doesn’t take long for information that’s been put on the Internet to be copied, over and over again. Many organizations have painfully learned this lesson after their own “mistakes.” Once you put information on the Internet it is pretty much like releasing helium balloons with postcards attached into the air. You can never know for sure who has seen, or copied, that information.
Organizations should not make the victims of the organization’s own bad controls pay for their incidents.
Organizations must take responsibility for the security of the PII that they have been entrusted to protect. They need to have a strong information security and privacy program in place.
In today’s business world, every organization that collects, handles, accesses, or otherwise has contact with PII, in any form, must have a well-documented and tested security incident and privacy breach response plan.
It is worth noting in this case that the Ohio Board of Nursing has no information security or privacy policy posted on their website; if they do, it is well hidden.
This is a government agency for the State of Ohio. What, if anything, will the Ohio State Attorney General do about this? Maybe those nurses whose PII was exposed should file a complaint. If people don’t hold organizations accountable for protecting their PII, and if regulatory and oversight agencies don’t hold them accountable or apply fines and penalties, it is likely many organizations will not be motivated to implement the safeguards and procedures necessary to properly protect PII.
Identity fraud and theft has long-term consequences, often the victims spend many years of dealing with denied loans, not getting a job because some criminal used your PII to purchase illegal items, or an assortment of other bad things that they should not have had to deal with in the first place if organizations had secured their information. It is very costly in dollars and time for the victims to resolve.
Organizations need to step up to the plate and be more responsible for protecting PII.

Tags: , , , , , , , , ,

Leave a Reply