PowerPoint Charts Led to BreachesMemorial Sloan-Kettering Reports Unusual Incidents
Sometimes, data breaches can result from data hidden in unusual places. Memorial Sloan-Kettering Cancer Center in New York is notifying 880 patients that some of their personal information may have been exposed when it was inadvertently embedded in PowerPoint charts posted on two websites.
In April, the cancer center, as part of its ongoing data security efforts, discovered five incidents involving patient information that was hidden behind graphs in PowerPoint presentations on the websites of two professional medical organizations, according to a June 15 privacy alert posted on its website. The information "was not visible during routine viewing of the presentation, but the graph itself could be manipulated in such a way as to potentially reveal the protected information," according to the alert.
The investigation revealed five separate incidents involving PowerPoint files, each of which affected different groups of patients, contained different data elements and involved postings at different time periods, the alert says. The largest file affected 568 patients. Patient names, clinical information and, in some cases, Social Security numbers, were embedded in the charts, a medical center spokesman says.
"As soon as these incidents were discovered, we took immediate action, and the information was removed," the alert states. The medical center has no evidence the information has been misused.
All those potentially affected have been notified and offered one year's worth of free services from ID Experts, including, in some cases, credit monitoring, the spokesman says.
"Memorial Sloan-Kettering has taken significant measures to strengthen our information and data security systems, has taken corrective action with those involved and has educated staff so that this situation does not occur again," the alert states.
To protect patient information, such as by encrypting it, healthcare organizations must first be able to identify all the places where it resides, attorney Melodi Mosley Gates of Patton Boggs LLC stressed in a recent interview.
First, organizations should conduct a business-process review, surveying appropriate staff members and mapping their business processes, she said. Second, they should consider using data loss prevention software to help identify where patient information resides.
"One of the really interesting things DLP can do is it can help to scan your environment and inventory that kind of data, even if it's embedded out in things like Excel files," Gates said. "It's not a simple process. It can be a lengthy one, but it can be very helpful."