Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Non-Technical Privacy Breach Example: 700 Mail Items Stolen from USPS Truck | Main | Government Report on Privacy Breaches in Agencies »

Non-Technical Privacy Breach Example & Possible HIPAA Violation: Medical Information Printed on Back of Wal-Mart Fliers

My local news reported late last week that a woman's personal information, including medical details, were printed on the back of a back-to-school flier Wal-Mart made available in their Boone store.  The person who got the flier in the store called the woman whose personal details were printed on it, it included her phone number, to let her know about the incident. 

The woman's attorney indicates they are filing a lawsuit against Wal-Mart, and said "The customer was very, very upset with what she found. She told Pat [the person whose info was on the flier] that 'You don't know me, but I have some information that I should not have, and I obtained it at the Wal-Mart store.'"

It is not known if this was the only flier with personal information printed on it, or if it was on more, or all, of the fliers.  It would be interesting to know if others got this same woman's information on the fliers they picked up, or if they got medical information about other persons.

Wal-Mart indicated that, as of the date of the report, they had not received a lawsuit, and did not say anything at all about the incident.  I have not found any other news reports about this.

This is another good example of how mistakes or oversights happen that result in privacy breaches that are not technical.  It is possible that Wal-Mart was printing the fliers on recycled paper, some of which may have come from their pharmacy area.  If so, they need to have better controls in place to ensure such sensitive printed data is secured and shredded when disposed.

Someone also should have looked through the fliers prior to putting them out for the customers, just as a QA activity.  Doing so could have caught this blunder.

It once more boils down to the human element, and the importance of having well communicated and enforced information security policies and procedures.

Another issue is whether or not this is a HIPAA violation.  The pharmacy portion of Wal-Mart would be a covered entity.  If the medical details did come from it and investigation shows there were not reasonable controls in place to prevent the incident from happening, it would seem that this incident could be a good candidate for qualifying as a HIPAA violation.

Technorati Tags







 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 16, 2006 1:22 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/205

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.