Healthcare Organizations Are Exposing PII Through Incorrect File Sharing
A report published this week has warned about gaps in data security and compliance at healthcare organizations, where files containing personally identifiable information (PII) are being shared using nonsecure methods.
The report was published by Metomic, a data security software company from the UK that helps companies protect sensitive data in SaaS, GenAI, and cloud apps. The company’s research has revealed many healthcare organizations are exposing large amounts of sensitive data through incorrect filesharing.
While employees may be aware of the importance of protecting HIPAA-covered protected health information, PII is often shared insecurely. According to Metomic, 25% of publicly shared files contain PII, such as names, addresses, and Social Security numbers which, if intercepted, could be used for identity theft, fraud, phishing, and social engineering attempts. Metomic’s research revealed that 77% of private files that are shared internally contained PII, and 68% of private files shared externally included PII.
Sensitive data is typically exposed as a result of errors by employees, often due to the failure to educate the workforce on the importance of following cybersecurity best practices. Metomic has shared some of the most common errors made by employees with file sharing that are exposing sensitive data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
These include export data from internal systems downloaded to personal drives or shared publicly. These types of security mistakes often occur when employees complete one-off tasks, such as downloading spreadsheets or CSV files containing customer data for analysis, or when software engineers use customer data for running tests. Other scenarios involve customer support workers exporting data from Jira tickets that contain PII and protected health information (PHI), either by downloading data files that were originally uploaded to Jira or downloading Jira tickets.
Metomic has observed healthcare companies inadvertently sharing the sensitive data of medical professional clients such as external contractors as public files, databases of leads have been identified within healthcare organizations who are targeting medical practices, and legal teams have shared their contracts with external clients publicly or domain-wide.
There have been multiple cases of information being shared via external users, with permissions set to allow access but not revoked later. Once forgotten, those permissions increase the risk of accidental disclosures of sensitive information. Metomic conducted a review of HR teams and found staff had shared personal employee data company-wide, and in some cases, employee health data was shared. For instance, a list of employees that contains their PII is downloaded from Workday into a Google sheet, which is then shared domain-wide.
In the report, Metomic shares tips for protecting sensitive data and avoiding privacy violations. The most important of which is to use a data loss prevention (DLP) solution that can identify sensitive data within different SaaS applications and automate remediation. The solution can be configured to scan for healthcare-related data, PII, publicly available data in Google Drive, credit card information, financial account numbers, employee salary data, and password and login details, and automatically redact that information, alert the employee concerned, and generate alerts for the compliance/security team.
