Another organization, this time a regional US healthcare provider network, has had a data breach and HIPAA violation due to improper disposal of hard drives by their third-party vendor.
Out of the many news sources and organizations that covered this story, such as healthitsecurity.com, hipaajournal.com, calhipaa.com (Calculated HIPAA), healthcareciso.com, compliancy-group.com, the Office of the New Hampshire Attorney General, the Office of the Vermont Attorney General, and law firms, I’ve linked over to a local Maine news station that has the facts of the case both written and in a concise 1:17 video.
♦️ HealthReach Community Health Centers, a system of 11 federally-funded community health centers throughout Central and Western Maine, headquartered in Waterville, found out about a data breach affecting more than 100,000 Mainers in May of 2021 and notified the Maine Attorney General’s Office in early September of 2021.
♦️ More than 116,000 people are affected, and as many as 101,395 of them are Maine residents.
♦️ The healthcare provider contracted a third-party data destruction company to dispose of hard drives containing protected health information (PHI), and drives were improperly disposed of by an employee at the third-party data storage facility.
♦️ The information exposed includes patient names, addresses, date of birth, Social Security numbers, medical insurance information, lab results, medical record numbers, treatment records, and financial account information.
♦️ HealthReach stated, “We are taking steps to prevent a similar event from occurring again in the future, including ensuring our data storage vendors re-train employees and comply with the required safeguards as to the disposal of sensitive information.”
A big part of the problem continues to be that for many organizations, data in storage or in transit in production environments is important and worthy of safeguarding, but as soon as that data is on End-of-Life devices, it’s considered a nuisance and a cost to get rid of, and they fail to take the risk of data loss seriously.
And if your organization’s selection and vetting of ITAD vendors allows for them needing to be retrained in how to handle and dispose of data, you should be expecting fines and lawsuits.
As I’ve stated many times before, just like there are certifications for every other aspect of IT and cybersecurity, there are also for data destruction during the IT Asset Disposition phase.
There are 6 data security-specialized US-based ITAD vendors with a comprehensive set of NAID (National Association of Information Destruction) AAA certifications for data destruction performed at the client site or in their facilities, overwriting, degaussing, or physically destroying all types of digital media (HDD, SSD, NVM), and non-paper media (tapes, disks, etc.), including NextUse.