My local news reported late last week that a woman’s personal information, including medical details, were printed on the back of a back-to-school flier Wal-Mart made available in their Boone store. The person who got the flier in the store called the woman whose personal details were printed on it, it included her phone number, to let her know about the incident.
The woman’s attorney indicates they are filing a lawsuit against Wal-Mart, and said "The customer was very, very upset with what she found. She told Pat [the person whose info was on the flier] that ‘You don’t know me, but I have some information that I should not have, and I obtained it at the Wal-Mart store.’"
It is not known if this was the only flier with personal information printed on it, or if it was on more, or all, of the fliers. It would be interesting to know if others got this same woman’s information on the fliers they picked up, or if they got medical information about other persons.
Wal-Mart indicated that, as of the date of the report, they had not received a lawsuit, and did not say anything at all about the incident. I have not found any other news reports about this.
This is another good example of how mistakes or oversights happen that result in privacy breaches that are not technical. It is possible that Wal-Mart was printing the fliers on recycled paper, some of which may have come from their pharmacy area. If so, they need to have better controls in place to ensure such sensitive printed data is secured and shredded when disposed.
Someone also should have looked through the fliers prior to putting them out for the customers, just as a QA activity. Doing so could have caught this blunder.
It once more boils down to the human element, and the importance of having well communicated and enforced information security policies and procedures.
Another issue is whether or not this is a HIPAA violation. The pharmacy portion of Wal-Mart would be a covered entity. If the medical details did come from it and investigation shows there were not reasonable controls in place to prevent the incident from happening, it would seem that this incident could be a good candidate for qualifying as a HIPAA violation.
Technorati Tags
information security
IT compliance
policies and procedures
privacy incident
awareness and training
HIPAA
privacy breach
privacy