A company that provides offsite storage for electronic medical records suffered a data breach when several of its decommissioned servers were stolen by an employee. The servers had been taken off line and placed in a closet, but they were not wiped clean. After a few years, the employee noticed the unused servers, and decided that he could sell them for personal profit, which he did via eBay. One of the buyers realized that the server had not been wiped, looked at the documents on the server and realized that they were medical records. The buyer called the FBI. At this point, the rogue employee’s plot unraveled. He was terminated, arrested and prosecuted for theft.
The company hired Stroz Friedberg to analyze if any of the other stolen servers had contained medical or personal information, and subsequently determine who would need to be notified that their personal information had been compromised. After a thorough review of multiple servers, we were able to demonstrate that several of the servers did not contain recoverable information, and thus did not trigger any notification laws. Further forensic examination of the one server that did contain medical records revealed that only three of these records had been accessed (all by the innocent buyer who notified the police). The remaining files — amounting to over 1 million medical records, had not been opened or accessed since before the server had been stolen. Based on this information, the company’s lawyers advised that they only had to notify a small number of individuals of the theft, saving millions of dollars, and more importantly, preserving the company’s professional reputation.