Why your fax machine may be your worst security risk

Last week, a data breach made headlines in Canada, when a woman’s private medical information was faxed by her doctor’s office to a newspaper. It was no doubt a mistake; a simple case of a wrong number. The laws of probability assure it will happen from time to time, but unfortunately, this type of breach becomes more insidious when you look at the details. In some instances, it is hundreds of records that are faxed over a multi-year time span. And in those cases, oftentimes the doctor’s offices and government entities knew of the problem, but still took years to correct it.

In any case, doctor’s offices should be taking these cautionary tales to heart and asking some tough questions: Why does this keep happening? When does “simple mistake” turn into “deliberate negligence?” And, perhaps most importantly, what can any office or organization do to safeguard against mistakenly faxing data to the wrong place?

Businesses and, particularly, doctor’s offices need to carefully scrutinize their office policies on faxing – does the office have an established protocol to verify and test fax numbers? Does office staff pre-program commonly used numbers to ensure the fax is transmitted correctly? Make sure employees understand that even the unintentional act of accidentally faxing protected health information (PHI) to a wrong number can trigger breach notification requirements, so it is important to check (and double check) every time a fax leaves the office.

 . . . Look for “Part 2,” which will be posted on Thursday!

by Charlotte Rose, CIPP
Senior Investigator, Kroll Fraud Solutions

Tags: best practices, breach preparedness, Canada, data security, healthcare, patient data security, protected health information (PHI), protecting information, sensitive personal information

Categories: Consumer ID Security, Data Breach, Data Security Issues, Data Security Planning.