A small update to the South Shore Hospital data breach: the company which South Shore contracted to destroy 800,000 computer records had in turn outsourced the job to a third party. So far, it hasn’t been clarified what type of data protection, if any, existed–although I’m still hoping to hear that something along the lines of drive encryption like AlertBoot was used.
Third Party Breach, First Party Negligence?
I’ve already covered the South Shore breach here. In light of the revelation of the subcontracting, I wonder: who’s at fault here?
The unnamed subcontractor didn’t technically lose the information. The claim is that they received a partial shipment, so technically it’s not their fault. How can you blame the receiving party, unless they had sent someone to fetch the…whatever it is that was supposed to be delivered (backup tapes? CDs? Hard drives? Etch-a-Sketches? It still hasn’t been revealed.)
Then, you’ve got the original contractor in the middle who probably sent the records. Did they, too, receive only a partial shipment? Are they to blame? Why didn’t they do the job of destroying the records themselves? The usual answer is, of course, because they could get someone else to do it for them for less. Technically, the breach could have been avoided if the contractor hadn’t outsourced the work (but, this is in hindsight and applies to this case only).
Should a courier company be blamed, the one that was employed (I’m assuming one was used) by the contractor?
And finally, we have South Shore Hospital. Perhaps it should be blamed for the breach. After all, they were the ones that handed the records to the contractor, presumably without using encryption software to safeguard the information (otherwise, we really wouldn’t be hearing about this issue).
The more parties that are involved, the harder data security becomes. So does pinning the blame. Assigning responsibility, however, is easy (although not always fair): In this case, it’s South Shore Hospital that’s responsible. That’s why their name is listed at the “HHS 500 or more records affected” site.
Related Articles and Sites: