- This topic has 5 replies, 6 voices, and was last updated 1 year, 7 months ago by SIPPAPAS WANGSRI.
-
AuthorPosts
-
-
2022-09-18 at 5:26 pm #38145Kansiri ApinantanakulParticipant
Case study 9: Third-Party Mailing Error Exposes 37K SSNs at Sound Health and Wellness Trust
https://healthitsecurity.com/news/third-party-mailing-error-exposes-37k-ssns-at-sound-health-and-wellness-trust1. Provide a brief description of the story.
Zenith American solutions provide the third-party administrator service to Sound Health and Wellness Trust. Zenith sent the letter to impacted individuals on June 24, 2022, for reminding them to complete their profiles.
On June 28, Zenith discovered that the mailing contained the individuals’ full Social Security number as part of the mailing label. The mailing label contained the individuals’ names, addresses, SSNs, unique ID numbers, and the fact that they were enrolled in coverage through Sound Health and Wellness Trust. As a result, 37,146 Social Security numbers were disclosed in this incident.2. What is/are the impact of this data breach? Consequences of the data breach.
As stated in the press “Zenith said it had no reason to believe that any information had been misused but offered impacted individuals free credit monitoring services. “
I partially agree with Zenith’s statement. In my opinion, this incident affected nearly forty thousand American citizens, which is considered a high impact. Even if the information went sent to the information owner, there is no guarantee that information had been kept secured during the transportation of mails.
The mail may be seen by neighbors or postmen. Having full details of information including names, addresses, SSNs, and unique ID numbers put affected individuals at risk of impersonation, or any other personal information misused.
Moreover, If Zenith hired the vendor to send all these emails, all this information were expected to be gathered in one single point which could be combined and utilized maliciously.3. How did the data breach occur?
The mail labeling failed to meet Zenich policy during the preparation process because the file used to prepare mail labels mistakenly included SSN.4. What should be the main cause of the data breach? Provide a brief explanation of the cause of data breach, such as phishing, ransomware, HIPAA violation, database misconfiguration, human error, third-party vendor error)?
In this case, I think the main cause of data breaches is due to HIPAA violation and human errors.
Since Zenith only provides administrative service to Sound Health and Wellness Trust, I suppose it is not proper to provide Zunich the individual SSNs. The SSN is considered personal identifiable information. The trust should only allow access the only selected group of staffs who only required to deal with SSN. Sending the information including SSN to the mailing staffs of Zenith is risky. This incident occurred not only caused from Zenith’s staff errors but the source data providers themselves.5. How could you prevent this data breach attack?
o The source data provider must provide information to staff who only required only.
o Zenith should actively implement measures to prevent receipt of personal information and sending the personal information. All staff should be trained and aware of potential personal information and appropriate management measures. -
2022-09-19 at 5:29 am #38151Kawin WongthamarinParticipant
Thank you for sharing such an interesting story.
I think there is another way to help prevent this incident. Drafted e-mails should be reviewed twice or thrice by multiple authorities for sending e-mails containing sensitive information to prevent human error.
-
2022-09-19 at 9:38 am #38157PREUT ASSAWAWORRARITParticipant
Thank you for sharing this interesting story.
I agree with you that the main cause of this issue should be HIPAA violation and human error. In addition to reviewing the e-mail before one send it, the third-party service company can implement the software that automatically retrieves individual data and writes the e-mail like the e-mail containing an invoice after we purchase something from online shop.
Thank you.
-
2022-09-21 at 6:53 pm #38224Siriphak PongthaiParticipant
Your topic is so fasinating because the error basically comes from preparation process.
I personally think, the company should retrain all staffs involved in these processes as well as focus on protected health information (PHI) and HIPPA regulation. In addition, root cause analysis and corrective action and preventive action should be conducted in order to prevent the recurrent of error in the future.
-
2022-09-24 at 4:44 pm #38313SaranathKeymaster
Thanks for the fruitful discussion!
-
2022-09-25 at 3:19 pm #38348SIPPAPAS WANGSRIParticipant
I agree that the very mistaken point in this case is caused by human error. Nevertheless, SSN numbers should not be stored in plain sight by any means because it can directly identify a specific person. It should be de-anonymised/psudonymised or encrypt it before storing in the database that has a potential access by a developer or clients. In that case, even a database is compromised, the data itself is encrypted.
-
-
AuthorPosts
You must be logged in to reply to this topic. Login here