Putting Zero Trust 2.0 into practice in five steps (InfoGuard Cyber Security Newsletter)

Privacy alert: Lessons from a healthcare company's misstep

In a world where protecting patient data is a top priority, a data breach is a serious threat to any organisation. This article tells the fictional story of Health plc, a company in the healthcare sector that caused a data breach. This story serves as a learning example and clearly demonstrates the need for robust data protection policies and processes in place.

At a time when the healthcare industry is becoming increasingly digital and patient data is the backbone of daily activities, Health plc has always seen itself as a pioneer of technological innovation.

The calm before the storm

Health plc has always been proud of its advanced privacy management system and the trust of its patients in a rapidly evolving world. At the time, however, little did they know that there was an undiscovered risk lurking beneath the surface: a data protection risk that could have significantly jeopardised Health plc's good reputation.

Serious and deliberate preparation for data protection

Health plc conscientiously implemented comprehensive data protection measures at an early stage to ensure compliance with data protection regulations and to strengthen the trust of its customers and suppliers.

As a result of these measures, the company ensured in particular the following aspects:

External data transparency

In order to create clarity and transparency for its users, Health plc has updated its website, including the cookie banner, content management and privacy policy. Contracts with customers and suppliers have been carefully adapted to comply with the new legal requirements.

Since that time, precise contract management and a detailed supplier overview have ensured that all external partners are transparently informed about the company's data protection guidelines. In addition, Health plc has clearly defined responsibilities and created roles for an internal data protection organisation to ensure that all data protection measures are correctly implemented.

Enabling legal data disclosure

Health plc has also implemented conscientious preparations for its reporting obligations in order to be able to respond correctly to any data protection incidents. For this reason, it established a specific process for data protection reporting to the authorities, which includes precise documentation and a precise control procedure. Procedures for access, erasure and rectification have also been defined in order to process requests in line with legal requirements.

Data protection as an itegral part of corporate culture - so far, so good!

Health plc has acted correctly by adopting these preventive measures, as they form the basis of a robust data protection management. With these implementations, Health plc proves that it is not only focused on compliance, but also sees data protection as an integral part of its corporate culture.

The discovery that changed everything

It all began on an ordinary day when Bax, a vigilant IT employee at Health plc, came accross a discrepancy during a routine check. Some sensitive patient data (highest confidentiality) was being stored unprotected on a server in an easily accessible storage location. Bax immediately raised the alarm and informed the internal data protection team.

Health plc's initial response was swift and decisive. The company's managers gathered together. The incident was assessed, immediate measures initiated and the affected server isolated. A thorough investigation of the incident was undertaken to understand how the data could have been exposed to such a risk of disclosure. A risk assessment was then carried out for the data subjects.

Getting to the bottom of it: The root cause analysis

The following days were marked by intensive investigations. It became clear that the incident was the result of a combination of technical defects and human error. It turned out that the data had been inadvertently moved to the unsecured server by an employee. This error was significantly exacerbated by the lack of end-to-end encryption and inadequate access controls on this server.

The internal control and monitoring of data protection turned out to be a significant weakness at Health plc. Although a register of processing activities existed, the root cause analysis revealed significant gaps in the documentation of data flows. The regular performance of data protection impact assessments (GDPR), the aim of which is to identify and minimise potential risks at an early stage, had been neglected, leading to an underestimation of the existing risks.

Informing employees about data protection practices

The investigation also revealed that internal policies and training on data protection were not sufficient to create a strong awareness of data protection practices among employees. As a result, not all employees were able to consistently implement and maintain data protection standards. The information and resources needed to understand and apply data protection principles were insufficient or did not reach all levels of the organisation. This deficit of knowledge transfer and application was a key factor that increased the risk of human error and ultimately contributed to the data breach.

Health plc recognised that the organisational measures cannot have their full impact without effective documentation and governance combined with the comprehensive understanding and commitment of all employees in the area of data protection. This recognition is a central aspect of the root cause analysis and forms the basis for the development of improved data protection strategies.

The road to recovery

With the full extent of the incident, Health plc has taken decisive steps to meet the public's trust and expectations and to ensure that such an incident doesn't happen again. The company has enhanced access controls and implemented a comprehensive training programme for all employees on the importance and relevance of data protection. This emphasised and confirmed the correct handling of sensitive data.

Refinement of the data protection guidelines

In addition, the data protection and security guidelines have been revised. Health plc introduced regular security audits and a security protocol that prioritises the security of data processing. The technical infrastructure has been revised to provide more efficient monitoring and faster response to potential security threats.

Obligation to report a data protection incident

In addition to technical and organisational measures (TOM), compliance with legal requirements in the event of a data breach is crucial. Health plc was faced with the challenge of not only taking internal measures, but also fulfilling external legal obligations. One of the most important legal steps was to report the incident to the relevant authorities. As required by law, the company immediately contacted the relevant authorities. These reports are not only a legal requirement, but also demonstrate Health plc's commitment to transparency and responsibility in its daily operations.

During the risk analysis of the incident, technical and forensic investigations showed that the data concerned had not left Health plc and that consequently there was no risk to the data subjects at any time. For this reason, the data protection authorities did not consider it necessary to notify the data subjects.

Conclusion: The key lesson from the data protection incident

The preliminary examination of the technical and organisational aspects of data protection, as well as the legal and timely reporting obligations, were crucial to the positive handling of the incident. By taking a proactive stance, Health plc not only minimised potential legal consequences, but also strengthened public confidence in its ability to deal with the incident.

The essence of the story of Health plc's fictional data protection incident serves as a real-life example of how data protection is not a stand-alone discipline, but a combination of technical, organisational and legal/judicial processes and measures. Data protection and information security are an absolute necessity as cornerstones of the corporate culture.

The call to action

Every organisation, whether in the healthcare sector or not, should review and improve its data protection practices. Effective data protection starts with the culture and dayly actions of the organisation and ends with interdisciplinary collaboration between the various interdepartmental stakeholders.

Is your organisation fully prepared to handle a data breach in accordance with current regulations? Find out for yourself. From data protection requirements, analysis, strategy definition and conception to awareness and implementation, we can help.

More on data protection

Want to stay informed about all cybersecurity news? Subscribe to our blog updates now and receive the latest articles delivered conveniently to your inbox.

Subscribe to blog updates!

<< >>

Data Governance

Pascal Engel
About the author / Pascal Engel

InfoGuard AG - Pascal Engel, Senior Cyber Security Consultant

More articles from Pascal Engel

Related articles
Focus on data protection: The new Swiss data protection law and its consequences
Focus on data protection: The new Swiss data protection law and its consequences

In recent months, there has been a great deal written about the new Swiss Data Protection Act (DSG) – its [...]
The New Swiss Data Protection Act – The List of Processing Activities [Part 2]
The New Swiss Data Protection Act – The List of Processing Activities [Part 2]

In the first blog article of our series on the revised Swiss Data Protection Act (DSG), we presented the most [...]
The new Swiss Data Protection Act – the most important new features [Part 1]
The new Swiss Data Protection Act – the most important new features [Part 1]

In autumn 2020, the Swiss federal parliament finally passed the long-awaited complete revision of the Federal [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media