Notification of Breach & Risk of Harm Analysis Report
It is June 1, 2015. You are the ISO of Acme Pharma Company (APhCo). APhCo is an online pharmaceutical supplier. The company supplies prescription drugs to individuals by mail, primarily serving the West/Southwest. Physician’s offices send APhCo electronic subscription info and APhCo fills the subscription and sends it to the customer via US postal mail.
Your team informs you that it appears as if a report – a CSV file, was inadvertently made available on the AphCo website. You look at the file’s create date and notice that it has been there for 14 months. It is an odd name, and there is no webpage that links to it. APhCo keeps web server log files for 12 months. A search of these log files shows that there was no access via web browser.
An analysis of the file shows that it contains First, Last, Med ID #, and prescribing physician’s ID, street address, city, state, SSN and prescription order info. There are 69,707 unique identities. 31,225 of them in California, 17,125 in Arizona, 13,214 in Nevada and 8,143 in Oregon.
You must write a memo to the CIO recommending the steps that must be taken to make sure you comply with required breach notification laws. You are aware that in addition to HIPAA, states have notification requirements. You notice that a number of law firms have summarized state breach laws, e.g. http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf, or http://www.steptoe.com/assets/htmldocuments/SteptoeDataBreachNotificationChart.pdf
Your memo should
1) Identify the relevant notification laws
2) Discuss and explain the options and required actions
3) Recommend the steps APhCo must take
4) Discuss the timeline
5) Describe any content or context requirements for the notification
6) Estimate the cost of notification
On June 1, 2015, I conducted a risk of harm analysis and determined there was a breach of security to the AphCo system data. I was made aware of this incident when I noticed a CSV file was uploaded onto the AphCo website. In my analysis of the log files, I discovered that the CSV file was created on April 3, 2014, and saved under an unidentified name. Since AphCo only keeps web server log files for 12 months, the suspicious behavior leaves me to believe that this is an internal threat giving that the log files show no sign of access via web browser. Inside the CSV file contained personal information such as [First Names, Last Names, Med ID #’s, and prescribing physician’s ID, street addresses, city, state, SSN’s and prescription order information]. The number of exposing records as of June 1, 2015, stand at a total of 69,707, 31,225 of them in California, 17,125 in Arizona, 13,214 in Nevada and 8,143 in Oregon.