Recently I received an email from a nursing home. It was not meant for me, and it was full of confidential information. How did that happen? I am the owner of the domain merwe.nl and so I receive any mail addressed to email addresses ending with @merwe.nl. The nursing home has admitted a patient Van de Merwe and they would like to communicate with the family.
The first email I received was an invitation for a family conversation. Chances are that I’m related somewhere. Van de Merwe is not a common name in the Netherlands. According to the Meertens Institute (for Research and documentation of Dutch language and culture) there were 808 people named Van de Merwe in the Netherlands in 2007. I don’t know all of them so I don’t know this Mrs. Van de Merwe.
Anyway, I sent the nursing home an email stating they were using the wrong email address.
They acted a little clumsy, but it can happen, right?
That was not all. A few days later I received an extensive report on the ups and downs of Mrs. Van de Merwe:
“Hereby I send you the digital reports about your mother”.
The report told me how long Mrs. Van de Merwe slept, what she ate, what time she went to the toilet (and what she produced there) and further details of her medical condition. Although small, I think we are really dealing with a data breach. I wondered if they would not have gotten my mail, but I got the answer as I read further.
“In addition I have another question: I read in an email which you sent us last week, we didn’t use the correct email address. Did you mean the address I’m using right now ([email protected])? Because this is the email address known to us and included in our records. If you have another email address, could you send it to us? Then we will ensure that it is updated in the system. ”
I responded; No, my dear employee, the family has a different email address, and I do not know that email address. You have sent this to the wrong person and the wrong family.
I’m not the addressee Mrs. Van de Merwe-xxx and I don’t know the patient.
Now what, I wondered, and started looking at the options.
European General Data Protection Regulation
Recently the European Parliament, the European Commission and the Council agreed on the new General Data Protection Regulation. This includes strict regulation on notification of data breaches, both to the data subject and to the supervisory authority.
According to privacy laws in Europe, health information about an individual belongs to the so called “special categories of data” of which processing is prohibited except for specific reasons listed. In this particular case, a clear breach has happened since the information is health-data (directly from a health-institute too), and it is clearly identifiable (I know who the data is about). But: the General Data Protection Regulation doesn’t apply yet. Even the Dutch data breach notification obligation only applies from 2016. Let’s say it’s a final warning for the nursing home.
Thus, there is a clear breach of the privacy laws in place, and in 2016 this incident should be reported.
This incident made me think about how it may have happened. I think it is a clear example of a human error, and human’s makes mistakes all the time. That is why, after all, we need to help them by building a better security culture.
Especially interesting to me is, that this employee, even though he knew there may be an incorrect email address, simply enclosed the entire report.
What does this tell us about the security culture in the nursing home?
As a security culture practitioner, I work almost exclusively with healthcare organisations. Most employees working in healthcare are very eager to help and have a real customer focus. Security in the sense of providing safe care to their clients is at the top of their mind. But data security and privacy are less recognised.
I wonder where it went wrong in this situation. Was the employee in a hurry, does he hate paperwork, or is he not aware of the consequences of his action? This incident might be an indication that information security and security culture are not at the required level.
I think I’ve found a lead to a nursing home that could benefit from the implementation of the Security Culture Framework, and will do my best to help them avoid similar situations in the future.
I am co-founder of the Dutch security awareness community serving any security awareness pro who wants to be inspired by knowledge sharing colleagues.
I am a Certified Security Culture Practitioner (CSCP).