Share this article on:
Earlier this year the U.S Postal Service was targeted by cybercriminals who gained access to a database containing the confidential data of past and present post office workers, including social security numbers, names, addresses and telephone numbers. The HIPAA breach also affected a limited number of customers; those who contacted the postal service between Jan. 1 and Aug. 16, although no customer data was limited to telephone numbers, names and email addresses.
The USPS started planning increased security measures after it was notified by the FBI about the breach, although action to protect the data was delayed according to the Washington Post, with measures to tackle the security issues only implemented in early November this year.
In addition to facing potential fines from the OCR for the HIPAA breach, the USPS is now under the scrutiny of the American Postal Workers Union which filed for unfair labor practices last month following on from the breach and how the USPS responded.
The charges were filed with the National Labor Relations Board with the Union believing that it should have been consulted following the breach before the affected employees were offered services to mitigate the damage caused. The Union believes it should have been consulted and given the opportunity to bargain over the response, instead of the employees being contacted directly to advise them of the data breach with an offer of a year of free Equifax credit monitoring services.
Under HIPAA regulations, any entity affected by a data breach must notify the individuals concerned as soon as possible after the breach has been discovered; although the legislation does not state that employee unions must be notified. The APWU is arguing that while the USPS is not obligated to inform the unions under HIPAA regulations, it is obliged to contact the unions under the National Labor Relations Act.
It is being argued that the union should have been given the opportunity to be involved in discussions on how best to address the issues affecting the employees whose data had been compromised. A telephone call was made to APWU President – Mark Dimondstein – following the breach, although it is maintained that the level of involvement of the union was unsatisfactory.
If a company must involve employees’ unions immediately after a breach it may slow down the process of notifying those affected. This could potentially lead to greater damage being caused and higher losses being suffered by the individuals affected. The primary purpose of the data breach notification process is to contact the individuals affected as quickly as possible to allow them to take action to protect their identities and assets. The NLRB has yet to address the charge, although healthcare organizations should consider involving the unions after any data breach that exposes employee data and to revise data breach policies to this effect.