Privacy breach no more: Eastern Health finds missing USB in file folder
False alarm cost Eastern Health more than $100,000
Eastern Health says it's found the missing USB flash drive containing thousands of employees' personal information — it was in a file folder in the Human Resources department the whole time. The mishap cost the health authority more than $100,000.
According to Eastern Health, an employee found the drive while she was doing some office tidying.
"She pulled a group of file folders out of the shelf and the USB drive fell onto the floor," said Debbie Molloy, interim vice president of human resources.
"We were so very relieved when we found the drive."
Molloy said they are not really sure how the drive got into that location and that they are still investigating employees' actions.
"We did search that office, but there are 50 to 60 workstations that people work in and there are literally thousands of files in that office," she said.
"We were actually hoping that it would turn up."
The health authority reported a privacy breach June 19 when a drive containing sensitive information of 9,000 employees went missing.
Eastern Health president David Diamond said they spent several days tearing apart their offices looking for the missing USB stick, which contained social insurance numbers, names, and employee numbers.
Eastern Health tasked 30 workers full-time to notify all the impacted employees of the breach. The extra labour, among other expenses, cost Eastern Health more than $100,000.
Now, the president of Eastern Health says there's no need for concern.
"Employees can now be assured that their personal information was not at risk and that no further action is required to protect them against identify theft," said Diamond in a release.
"We sincerely apologize for that. We certainly didn't want to put them through undue stress," added Molloy.
Eastern Health changing its privacy regulations
As a result of the incident, Diamond said that Eastern Health is strengthening its regulations around employee privacy. Social insurance numbers won't be used as an employee identifier, and any employee requesting information will first have to answer a number of security questions.
Eastern Health said it is developing a more strict USB and portable media devices policy, and has plans to upgrade its anti-virus platform so that USB drives will be automatically encrypted.