DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Oops: a breach notification revealed too much

Posted on May 1, 2008 by Dissent

When Drexel University College of Medicine experienced a breach due to the theft of a computer, they notified states attorney general as required by various state laws.

But because only one resident of Maryland was affected by the breach, Drexel included a copy of the notification letter to the patient when they notified the Maryland Attorney General’s office. And by doing that, they compounded the privacy problem for one patient.

When Maryland made all breach notices available on the web, I was going through them to locate breaches that had not been disclosed or reported in the media. And in reading Drexel’s breach disclosure, I realized that the failure to redact the patient’s name, address, and some information about the breach had produced another privacy problem. Rather than posting the breach to PHIPrivacy.net, then, I delayed, called Drexel, and informed them of the problem. They promptly contacted the Maryland Attorney General’s office, who removed the file from the web.

Now that the file has been removed, I can report the breach. A redacted copy of their notification letter to Maryland can be found here, but Edward Longazel, Drexel’s Chief Compliance and Privacy Officer provided me with additional details when I spoke with him.

Longazel informed me that the problem occurred because a contract worker created a spread sheet to show what work she had done that day. The spread sheet included the names of patients and their Social Security numbers or dates of birth and was created on a computer that was not supposed to contain any data at rest. Not only should the worker not have created the file, but she should not have been using Social Security numbers, and during the day, when she overheard someone else being trained that SSN were not to be used, she switched to using dates of birth.

At the end of the day, she emailed the spreadsheet to her supervisor and then shut down the computer without deleting the file. The computer was stolen.

According to Longazel, less than 250 people were affected by the theft, and there were no addresses or financial information in the stolen computer.

Category: Health Data

Post navigation

← Ie: Outrage as patient files unearthed
UCSF waited six months before telling patients of data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Doctor Who Falsely Diagnosed Patients as Part of Insurance Fraud Scheme Sentenced to 10 Years’ Imprisonment
  • VanHelsing ransomware builder leaked on hacking forum
  • Hack of Opexus Was at Root of Massive Federal Data Breach
  • ‘Deep concern’ for domestic abuse survivors as cybercriminals expected to publish confidential abuse survivors’ addresses
  • Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • Privilege Under Fire: Protecting Forensic Reports in the Wake of a Data Breach
  • Hacker who breached communications app used by Trump aide stole data from across US government
  • Massachusetts hacker to plead guilty to PowerSchool data breach (1)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach
  • Drugmaker Regeneron to acquire 23andMe out of bankruptcy

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.