The New York City Health Hospital Corporation (HHC) intimated 1.7 million patients, staff, contractors and vendors associated with its Jacobi Medical Center North Bronx Hospital and its networks, that their personal/ health information had been stolen. The hospital expressed regret regarding inconvenience and any concerns that it may cause its patients/staff or others who were affected. They attributed the loss to negligence exhibited by a contracted firm that specialized in secure transport and storage of sensitive data. They derived comfort from the fact that the data had not been inappropriately accessed or misused till the date of the notification. Finally, the HHC took the responsibility of providing information and credit monitoring services to all affected individuals, who may be worried by the identity theft that was reported to them.

While this communication was wholly in line with the federal regulations and legal mandates that bind the hospital, the fact remain that, the affected parties had their identities stolen; identity theft can be worrying and the impact of the theft may be felt by the affected individuals for several years following the breach of security. The affected parties could sue the organization for millions of dollars for negligence! This raises questions around data security.

Are organizations right in secure their data with third parties? How can they ensure that data does not get stolen, misused or accessed inappropriately? What is the third party liability to the data in their custody? The answers to these questions are not simple and an increasing reliance on third party cloud based data storage services is making the need for answers to these questions more urgent.

There is no simple solution to them. Enterprises trusting their data to third parties must make a concerted effort to ensure that the data they entrust remains secure and inviolable. They need to put in time and energy into evaluating the reliability of the data security claims being made by the third parties.

  1. Are the guarantees of data security set out in the service level agreements being translated into reality by the service vendors?
  2. Are the so called impregnable cryptographic models in use really impregnable?
  3. Has the vendor’s encryption methodology been certified by a reliable certification authority?
  4. How is the data stored in the third party repository?
  5. Who has access to the data in the store?
  6. Whom does the vendor share the data with and for what purpose?
  7. Is the vendor willing to take on the responsibility for any kind of data breach that may occur due to carelessness?
  8. What are the rights and liabilities of your enterprise in the event of a data breach?

The answers to these questions will help you evaluate the security protocols of your service provider and ensure that you pick the right service for the job.

Source: “Confidential Personal Health Data of 1.7 Million People Stolen”, Press Release edited by on Thu, February 24th, 2011 at [Accessed: 6th March 2011]