Sometimes your policies are fine, but a well-meaning employee still manages to violate them. Consider this notification from Children’s Mercy Hospital in Kansas City, Missouri:
Kansas City, Mo. – May 19, 2017 – Children’s Mercy’s information security department recently discovered an unauthorized website that contained certain patient information. The information had been collected by one of the hospital’s physicians who was using the website in an effort to create an educational resource. Although the physician believed that all individual information contained in the website was password protected and inaccessible, unfortunately the website’s security controls did not meet the hospital’s standards and the information could have been accessed by unauthorized third parties. Promptly following discovery, Children’s Mercy took down the website. The website was not owned or authorized by Children’s Mercy or on the hospital’s network. Storing patient information on the website violated Children’s Mercy’s policies.
Although Children’s Mercy is not aware of any misuse of the patient information, the hospital is sending letters to the 5,511 affected patients. Information that was stored on the site varied by patient, but may have included name, medical record number, gender, birthdate/age, height/weight, dates of service and brief notes.
It is important to note that Social Security numbers, addresses, photos, telephone numbers, insurance information and credit card information were NOT included in this information.
Children’s Mercy has established a call center (1-855-836-1509) and an informational webpage (childrensmercy.org/May2017) to provide answers to affected families. Additionally, Children’s Mercy is offering free identity theft protection.
The hospital sincerely apologizes for this situation.
The text of the notification letter to parents can be found here (pdf).
While I do believe that this was an error by the well-meaning employee, I am a concern for the lack of security controls that allow this individual to exfiltrate sensitive data to host at this unsecured website.