PowerPoint Charts Led to Breaches

Memorial Sloan-Kettering Reports Unusual Incidents
PowerPoint Charts Led to Breaches

Sometimes, data breaches can result from data hidden in unusual places. Memorial Sloan-Kettering Cancer Center in New York is notifying 880 patients that some of their personal information may have been exposed when it was inadvertently embedded in PowerPoint charts posted on two websites.

See Also: Improving Security Compliance in The Financial Industry With Data Privacy Regulations

In April, the cancer center, as part of its ongoing data security efforts, discovered five incidents involving patient information that was hidden behind graphs in PowerPoint presentations on the websites of two professional medical organizations, according to a June 15 privacy alert posted on its website. The information "was not visible during routine viewing of the presentation, but the graph itself could be manipulated in such a way as to potentially reveal the protected information," according to the alert.

The investigation revealed five separate incidents involving PowerPoint files, each of which affected different groups of patients, contained different data elements and involved postings at different time periods, the alert says. The largest file affected 568 patients. Patient names, clinical information and, in some cases, Social Security numbers, were embedded in the charts, a medical center spokesman says.

"As soon as these incidents were discovered, we took immediate action, and the information was removed," the alert states. The medical center has no evidence the information has been misused.

All those potentially affected have been notified and offered one year's worth of free services from ID Experts, including, in some cases, credit monitoring, the spokesman says.

"Memorial Sloan-Kettering has taken significant measures to strengthen our information and data security systems, has taken corrective action with those involved and has educated staff so that this situation does not occur again," the alert states.

Protecting Information

To protect patient information, such as by encrypting it, healthcare organizations must first be able to identify all the places where it resides, attorney Melodi Mosley Gates of Patton Boggs LLC stressed in a recent interview.

First, organizations should conduct a business-process review, surveying appropriate staff members and mapping their business processes, she said. Second, they should consider using data loss prevention software to help identify where patient information resides.

"One of the really interesting things DLP can do is it can help to scan your environment and inventory that kind of data, even if it's embedded out in things like Excel files," Gates said. "It's not a simple process. It can be a lengthy one, but it can be very helpful."


About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.