DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Oops: a breach notification revealed too much

Posted on May 1, 2008 by Dissent

When Drexel University College of Medicine experienced a breach due to the theft of a computer, they notified states attorney general as required by various state laws.

But because only one resident of Maryland was affected by the breach, Drexel included a copy of the notification letter to the patient when they notified the Maryland Attorney General’s office. And by doing that, they compounded the privacy problem for one patient.

When Maryland made all breach notices available on the web, I was going through them to locate breaches that had not been disclosed or reported in the media. And in reading Drexel’s breach disclosure, I realized that the failure to redact the patient’s name, address, and some information about the breach had produced another privacy problem. Rather than posting the breach to PHIPrivacy.net, then, I delayed, called Drexel, and informed them of the problem. They promptly contacted the Maryland Attorney General’s office, who removed the file from the web.

Now that the file has been removed, I can report the breach. A redacted copy of their notification letter to Maryland can be found here, but Edward Longazel, Drexel’s Chief Compliance and Privacy Officer provided me with additional details when I spoke with him.

Longazel informed me that the problem occurred because a contract worker created a spread sheet to show what work she had done that day. The spread sheet included the names of patients and their Social Security numbers or dates of birth and was created on a computer that was not supposed to contain any data at rest. Not only should the worker not have created the file, but she should not have been using Social Security numbers, and during the day, when she overheard someone else being trained that SSN were not to be used, she switched to using dates of birth.

At the end of the day, she emailed the spreadsheet to her supervisor and then shut down the computer without deleting the file. The computer was stolen.

According to Longazel, less than 250 people were affected by the theft, and there were no addresses or financial information in the stolen computer.

No related posts.

Category: Health Data

Post navigation

← Ie: Outrage as patient files unearthed
UCSF waited six months before telling patients of data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware
  • Senator Chides FBI for Weak Advice on Mobile Security
  • Cl0p cybercrime gang’s data exfiltration tool found vulnerable to RCE attacks
  • Kelly Benefits updates its 2024 data breach report: impacts 550,000 customers
  • Qantas customers involved in mammoth data breach
  • CMS Sending Letters to 103,000 Medicare beneficiaries whose info was involved in a Medicare.gov breach.
  • Esse Health provides update about April cyberattack and notifies 263,601 people
  • Terrible tales of opsec oversights: How cybercrooks get themselves caught

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Kids are making deepfakes of each other, and laws aren’t keeping up
  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.