Massachusetts General Hospital recently notified 648 patients that their names, lab results and Social Security numbers may have been exposed in May 2015 when an employee sent an email containing the data to the wrong email address by mistake (h/t SC Magazine).
“Several attempts to retrieve this email were unsuccessful,” hospital privacy officer Deborah A. Adair wrote in the notification letter.
“To help prevent this from happening again, we are updating our processes so that this information will no longer be handled via email,” Adair added. “We are also re-educating our workforce regarding the importance of handling patient information securely.”
Ken Levine, president and CEO of Digital Guardian, said the breach is a classic example of an accidental data loss that could have been avoided. “A simple prompt alerting the user of the action he/she was about to take would have been enough to prevent a well-meaning insider from accidently sending sensitive data,” he said.
“This is why sensitive data itself must be protected with proper policies and enforcements — so that data breaches are prevented regardless of how they are instigated,” Levine added.
Insider breaches due to employee error are a significant problem for enterprises worldwide. According to the results of a recent survey of 1,071 IT and IT security practitioners, 70 percent of U.S. respondents said they see more security incidents caused by uninentional mistakes than by intentional and/or malicious acts.
The survey, conducted by the Ponemon Institute and commissioned by Raytheon|Websense, also found that employee negligence can cost U.S. companies as much as $1.5 million in time wasted reponding to security incidents caused by human error. IT security practitioners said they spend an average of almost three hours each day dealing with security risks caused by employee mistakes.
Among U.S. respondents, new or entry-level employees are seen as posing the greatest risk of careless or negligent acts, as are those who multi-task or work too many hours — the report notes that on average, U.S. employees work 48 hours per week, while German employees work 35.
“Maliciousness is tagged as the leading cause in insider threat discussions, but the impact of negligence cannot be overlooked,” Raytheon|Websense president Ed Hammersla said in a statement. “As the Ponemon study reveals, security incidents are caused by negligence which leads to a decrease in IT productivity.”
“Workplace stress, multitasking, long hours and a lack of resources and budget are the biggest contributors to employee negligence,” Hammersla added. “Having programs in place that include a mixture of training, policy and technology are vital to addressing insider threats before they become a major issue.”
A recent eSecurity Planet article examined the importance of providing security awareness training to employees.