I really like investigations where those carrying them out are not afraid to get down and dirty to find out what really is going on at businesses, and seeing how sloppy practices put privacy, and personal safety, at risk. Digging into dumpsters to find personally identifiable information (PII) is a great indicator of the information security practices of an organization.
Here’s an article about such an investigation to put within your awareness and training files for the ongoing problems organizations have with properly disposing of PII. WTHR in Indianapolis did an investigation into the trash habits of pharmacies. Indeed there are some very sensitive types of information your friendly neighborhood pharmacy has on file about you and all the other folks who fill their prescriptions. Not to mention tossed drugs…but that’s another story…
Some of the more interesting findings of the research done by the television station:
"Over a two-month period, 13 Investigates reporter Bob Segall visited 65 local pharmacies. Actually, he visited their dumpsters. Some were latched, locked or chained. But most had no security at all – out in the open, 24 hours a day. At those dumpsters, we took whatever we found – it’s perfectly legal."
Just take a nice stroll at lunch through your downtown alleys (if you are in a day-safe area), and I am willing to bet you will also find dumpsters wide open containing papers and other potential PII storage media.
"Perhaps more alarming, we found prescriptions, pill bottles and prescription labels that provided personal information about hundreds of patients. In fact, at pharmacies where we took garbage bags, we found more than half of them trashed their customers’ privacy by failing to destroy their personal information as required by federal law. We learned who’s taking birth control pills, who has an enlarged prostate, which customers suffer from depression and which one has a prescription for genital herpes. And along with it, we learned their names, addresses, phone numbers and birthdates. You won’t hear from any of those particular patients, but others are speaking out."
"Margie Kerr was not so fortunate. A thief came to her Bloomington home and stole her prescription painkillers. Detectives say the thief singled out his 76-year-old victim when he found her personal information in an open dumpster behind her pharmacy."
Drug addicts are desperate to get a fix. What better way to find out who has the drugs they need than by digging through the pharmacy, hospital and medical clinic dumpsters? Organizations that do not irreversibly destroy PII prior to disposing of them are not only in noncompliance with HIPAA, but are also putting the corresponding individuals about whom the PII applies at a safety risk.
""Protections need to be in place," said Susan McAndrews, who is a top legal advisor at the Department of Health and Human Services in Washington. McAndrews said the law is clear: customers’ personal health information must be carefully protected. After seeing what we found in the trash, she offered advice for pharmacies. "Don’t do that!" she said. "Putting protected health information in a dumpster that is accessible to anyone… is clearly not an example of a reasonable safeguard." McAndrews said most pharmacies are bound by HIPAA, a federal law that requires patients’ and customers’ private health information to be protected. Businesses that fail to comply can be fined up to $100 per incident."
A huge problem with HIPAA is the enforcement, or lack of, for this federal law by theDepartment of Health and Human Services (HHS). No fines or penalties have yet been applied; just two criminal cases successfully prosecuted. The HHS needs to step up and apply fines in such instances of blatent disregard of the law. Without fines being applied there is no motivation for compliance by covered entities (CEs). If the HHS is making statements about how CEs need to comply with HIPAA, they need to step up to the plate and enforce the law! Just shaking a finger and tisk-tisking breaking the legal requirements of HIPAA will not motivate most CEs.
"For this investigation, we randomly chose 65 metro-area pharmacies. The test included pharmacy-only stores such as Walgreens, CVS, Osco, Tucker Pharmacy and Low Cost Rx stores. It did not include grocery and retail stores that also offer pharmacy services because dumpsters at those locations contained mostly non-pharmacy trash. During the test, we took trash only from pharmacy dumpsters that offered easy public access. We did not take trash from the 13 pharmacies where the dumpsters were either locked or unaccessible to the public. Nor did we take garbage from the seven pharmacies at which dumpsters were behind a closed fence, even if the fence was unlocked. Trash dumpsters at 15 of the pharmacies were easily accessible but empty at the times we visited. We took trash from the remaining 30 pharmacies with easily-accessible garbage dumpsters, and 19 of them failed to destroy all of their customers’ personal information before placing it in the dumpsters."
The station provided a list of the secure dumpsters they encountered; largely CVS and Walgreens stores.
They also provided a map of all the dumpsters they investigated, and comments about the security of each.
What a great investigation. It would be enlightening to see this same exercise performed in other cities and towns.
Take a look at your own organization’s dumpsters…you might be surprised at what you find.
Residential trash is also at risk. Dumpster diving for trash treasures the night before trash day is pretty common in many residential areas.
Technorati Tags
information security
IT compliance
cybercrime
HIPAA
data disposal
dumpster diving
patient information privacy
personal information breach
privacy breach
policies and procedures
awareness and training
privacy