Cyber Risks: Unintended Data Disclosure

Unintended data disclosures can occur in every type of work environment. Legal requirements to keep patient information confidential make it particularly challenging in healthcare. Organizations in many industries increasingly use third-party service providers, and that can lead to documents containing significant amounts of sensitive data needing to be secured appropriately. We provide clients with training and the technology resources required to reduce their risks of unintended or unintended disclosure.

The most common forms of unintended data disclosure

Communications sent to the wrong recipient

Not all data losses result from a cyber attack. Emails, faxes, or mailings can be inadvertently sent to the wrong recipient, particularly when employees are busy.

For example, medical information such as patient discharge instructions or prescription information can be sent to the wrong patient or another individual.

Exposure through social media

The widespread use of social media and smartphone cameras can result in an employee sharing sensitive data, such as information about a healthcare patient.

Failure to separate collections of sensitive information

Using third-party service providers for administrative purposes can result in files containing a collection of sensitive data, such as employee payroll or tax documents, exported from the provider. An employee may accidentally share the file with the wrong recipient.

Configuration errors

When access is not properly restricted, sensitive data on network file shares or stored in the cloud can be left accessible to unauthorised users.

This a particular risk when a server is updated for maintenance and forgotten temporary changes in configuration can leave the server exposed to unauthorised access.

How to protect against unintended data disclosure

Data governance

Assess and classify your data based on the level of its sensitivity. Establish procedures that protect and secure the handling of your sensitive data, including assigning permissions based on the principle of least privilege (especially with roles giving access to all data, or for roles allowing bulk downloads of data).

Limit social media access in the workplace

Establish a social media policy. Train your employees on risks related social media posts that might reveal sensitive information, particularly employees in healthcare. As AI becomes more popular, establish rules to restrict what can be shared via tools like ChatGPT.

Train employees on their role in securing data

Employees should be trained on how to ensure that any sensitive data, including paper records, is stored securely when they finish work the day. Workstations should be locked when the employee steps away, to prevent anyone nearby from unauthorised access.

Manage employee workloads

Time-stretched employees are the most likely to make mistakes, for instance picking up several sheets of paper instead of one, sending an email to the wrong recipient, or failing to verify a patient’s information.

Secure cloud resources and manage network file shares

Use role-based access controls to manage access to your network file shares. Use group policies to manage the sharing of documents externally. Block access to unauthorised cloud storage platforms. Regularly audit configuration settings on your organization’s cloud-based resources.

What to do if you suspect an unintended data disclosure

Data disclosures of any kind are important to deal with quickly, and thoroughly. Depending on your geography and region, there may be very specific regulatory requirements that must be addressed, as well as the potential impact any data leakage could have on the subjects. In particular we recommend engaging with forensics experts such as ourselves to understand the full scope of the issue, as well as legal counsel experienced in cyber incidents and privacy concerns. Our Cyber Services team can walk you through all the considerations.