UPMC Identity Data Breach
Security of employee personnel data is a serious concern in all establishments. Data breaches cost a company time and money and badly affect public trust and confidence. The recent identity theft at University of Pittsburgh Medical Center (UPMC) has affected more than 27,000 of its employees. A spokesperson for UPMC has confirmed that patient data has not been compromised. Data stolen from UPMC’s document management system was used to electronically file phony income tax returns. Such stolen information can be used to claim tax refunds and even to apply for a job.
How UPMC is Addressing the Data Breach Issue
According to a Triblive report, UPMC is working with federal investigation agencies to determine the source of the breach. Some of the measures the hospital has taken or plans to take to deal with the situation include
•
Established a payroll hotline
•
Published employee information on the company website
•
Hired a tax firm to help employees complete an IRS identity theft form
•
Plans to reimburse employees up to $400 to use their own accountant
•
Providing credit monitoring services to affected employees
•
Financial assistance for those who have to pay for police reports
www.managedoutsource.com
800-670-2809
Reasons for Personal Data Breach
Employee databases usually contain information such as name, home address, social security number, wage information, birth date, bank account number, and routing numbers. Data breaches can occur intentionally or unintentionally. Here are the most typical reasons for ID thefts from an organization’s information system:
•
Human error
•
Inappropriate access controls allowing unauthorized use
•
Equipment failure
•
Hacking attack
•
‘Blagging’ or the use of deceptive means to extract personal data from people or organizations
•
Loss or theft of data or equipment on which data is stored
Avoiding Data Breaches
The company should identify the security risks to personal information that it holds and the impact of a security breach.
•
Policies
should
be
developed
on
implement
measures,
practices
and
procedures to minimize the identified risks to personal data
•
Educate staff and managers in security and fraud awareness, codes of conduct and security practices and procedures
www.managedoutsource.com
800-670-2809
•
Access to data should be restricted only to those staff members who have the necessary clearance
•
Access to systems which are no longer in active use and which contain personal data should be removed.
•
Use
of
strong
passwords
to
protect
PC,
databases,
PC’s,
etc
from
unauthenticated access
•
Personal data of those who retire, resigns, or get transferred should be removed from the database. If it is in paper it can be scanned and indexed or stored in a repository internally or a document imaging company with such a service.
•
Monitoring and review – Constant monitoring is necessary to ensure compliance with the security policy as well as to assess of new security risks and to examine the adequacy of existing security measures to deal with these risks
Firms with paper-based documents should switch to secure electronic document management systems. Voluminous data entry and document scanning and imaging can be handled by outsourcing the tasks.
www.managedoutsource.com
800-670-2809