It has been revealed that the NC Department of Health and Human Services (DHHS) suffered a security breach after an unencrypted spreadsheet containing personal information for almost 6,000 people was “sent in error” to a vendor.
Compromised data included names, Social Security numbers and routine drug screening results for people who had applied for employment, voluntary, and intern openings at the DHHS.
A statement said:
These screenings were routine and applied uniformly to applicants for particular positions. A person’s inclusion in the spreadsheet reflects only that they sought an employment, intern or volunteer opportunity at DHHS within the affected time period.
The breach was discovered on September 27 and an investigation was immediately launched. The third party that was in receipt of the classified information was asked to ensure “deletion and secure destruction.”
Those affected by the incident have been informed, as has the US Department of Health and Human Services Office for Civil Rights.
It is thought that the risk of data misuse is low, but it cannot be determined whether the email was “intercepted during transmission.”
The statement continued:
Protecting the privacy and security of job applicants is a top priority of DHHS. The department has reviewed proper procedures with employees and is continuing to review its internal processes to ensure the correct handling of data moving forward and to help avoid a similar occurrence in the future.
It appears that the DHHS is taking proactive steps to prevent similar incidents in the future. Although this breach is an example of human error and not deliberate misuse, it reiterates the importance of training staff effectively to ensure that they know how to treat confidential information.
Educate your staff
Enroll your staff on our Information Security Staff Awareness E-Learning Course so that they gain a better understanding of what is expected of them. The course advises staff on how to avoid becoming a security liability, introducing them to your internal policies on incident reporting and responses, and provides basic knowledge of information security best practice to reduce preventable mistakes.