The USPS announced that a healthcare data breach possibly compromised the information of 485,000 current and former employees.
- The United States Postal Service (USPS) first reported a cybersecurity breach in November that potentially compromised the personally identifiable information of 750, 000 employees, as well as the data of 2.9 million customers. At the time, the employee information that was possibly compromised included names, dates of birth and Social Security numbers, according to a USPS statement. Addresses and other information, such as the beginning and ending employment dates, as well as emergency contact information were also exposed.
However, it is now reported that the breach also potentially compromised 485,000 employees’ health information. Injury diagnoses, procedure codes, and the physical location of bodily harm were possibly exposed in the breach, according to a Nextgov report. Employees, former employees, and retirees who filed for workers compensation may be at risk, the news source reported.
“The Postal Service took steps to obtain current addresses for as many affected employees as possible through private contractors who used, among other sources, the Postal Service’s own National Change of Address database,” USPS spokesman David Partenheimer said in a statement.
Partenheimer added that all employees, former employees and retirees whose medical information may have been exposed received a notification letter last month. Moreover, those individuals will also receive free credit monitoring.
When the breach was first reported, the USPS reported that it was implementing additional security measures. This included equipment and system upgrades, as well as changes in employee policies and procedures that were expected to roll out in the weeks immediately following the cyber attack.
“The privacy and security of employee and customer data is of the utmost importance to us. Despite devoting a lot of time and attention to the security of our information systems, the Postal Service joins the list of major companies and government agencies that have had similar cyber intrusions,” the company said in its November statement. “The remediation efforts we took to address the cyber breach have resulted in an even stronger system to protect our data.”
Patients are not the only individuals who could find their information compromised in a healthcare data breach. Healthcare employees often have their personal data, including health information, stored in their organizations’ databases.
In Aug. 2014, Children’s Mercy Hospital in Kansas City, Mo. announced that just over 4,000 employees’ data was possibly exposed in an online breach. In that instance, an online scheduling application was believed to be the cause of the breach.
Employee names, home and email addresses, phone numbers and dates of birth were loaded onto the application. However, Social Security numbers and financial data were not included.
As not all organizations involved in a healthcare data breach are considered a covered entity, they will not face repercussions through the Department of Health and Human Services (HHS). However, this does not mean that facilities can have lackluster security measures in place. Individuals could file class action lawsuits and an organization could have its reputation falter due to a healthcare data breach.
The protected health information of employees and patients can be kept secure with current technical, physical and administrative safeguards.