Privacy & Security
Eastern Health finds missing USB in file folder
August 19, 2015
ST. JOHN’S – Eastern Health, in Newfoundland, says it has found a missing USB flash drive containing the personal information of thousands of employees – it was in a file folder in the Human Resources department the whole time. The mishap cost the health authority more than $100,000.
According to Eastern Health, an employee found the drive while she was doing some office tidying. “She pulled a group of file folders out of the shelf and the USB drive fell onto the floor,” said Debbie Molloy (pictured), interim vice president of human resources.
“We were so very relieved when we found the drive,” Molloy said. They are not really sure how the drive got into that location and they are still investigating employees’ actions.
“We did search that office, but there are 50 to 60 workstations that people work in and there are literally thousands of files in that office,” she said. “We were actually hoping that it would turn up.”
The health authority reported a privacy breach June 19 when a drive containing sensitive information of 9,000 employees went missing.
Of the 9,000 people whose information was on the flash drive, 3,300 staff with surnames starting with letters P-Z had social insurance numbers included in the information spreadsheet. The remaining 5,700 employees had their names and employee numbers breached.
Eastern Health president David Diamond said they spent several days tearing apart their offices looking for the missing USB stick.
Eastern Health tasked 30 workers full-time to notify all the impacted employees of the breach. The extra labour, among other expenses, cost more than $100,000. Now, the president, Mr. Diamond, says there’s no need for concern.
“Employees can now be assured that their personal information was not at risk and that no further action is required to protect them against identify theft,” said Diamond in a release.
“We sincerely apologize for that. We certainly didn’t want to put them through undue stress,” added Molloy.
As a result of the incident, Diamond said that Eastern Health is strengthening its regulations around employee privacy. Social insurance numbers won’t be used as an employee identifier, and any employee requesting information will first have to answer a number of security questions.
Eastern Health said it is developing a more strict USB and portable media devices policy, and has plans to upgrade its anti-virus platform so that USB drives will be automatically encrypted.