Has there ever been a more meaningless, patronizing, and pathetic comment made after a cardholder data security breach than: "We take patients’ [or customers'] information very seriously, and we’re reviewing our policy, and our training procedures to make sure this never happens again?"
According to
this report from the Boston Globe, St. Elizabeth's Medical Center is currently notifying more than 6,800 people that they potentially compromised billing information, including credit card numbers and security codes. It happened when documents the hospital planned to shred were removed by a vendor from a building scheduled for demolition. Unfortunately, the papers (or at least some of them) containing the PANs and security codes (and probably names, too) were found blowing across a nearby field.
Where do we even begin to go through the mistakes this institution is reported to have made, none of which is excusable?
Let's start with keeping PAN data on paper records. PCI allows you to do this, but you need to protect the data. Here, the mistake probably was keeping the data in the first place. I'm pretty sure the hospital could live with just keeping the last four digits, but they kept -- and then managed to lose -- the full PAN.
Then, the hospital also reportedly kept the 3-digit security codes. For this, ignorance can no longer be an excuse. PCI explicitly prohibits retaining the security codes. If they are on a paper form, then you have to find a way to physically get rid of them. Sadly, the same helpful people who decided to keep the PAN apparently also decided they should keep the security codes, too.
How did the papers get lost? The hospital hired "certain trusted vendors" to clear out a building and shred the paper. It looks like the vendor took some shortcuts and never bothered shredding all the records. You may have noticed by now that nowhere have I mentioned the name of this third party. The reason is that it does not matter: the breach was the hospital's. Just like with any service provider, a merchant can outsource a function, but they cannot outsource responsibility. Rarely has this principle been more clearly illustrated than in this unfortunate breach.
Maybe the hospital will get lucky and only those few papers blowing through the field were lost. This situation is possible. Regardless, the hospital has to pay to notify all 6,831 patients as well as any other expenses. If there is any good news in this mess, it appears that no medical information was lost, so the hospital faces only fines from the payment brands and not HIPAA-related fines.
The lesson for all your cashier, bursar, auxiliary, medical, parking, and other campus departments on that take cards and keep cardholder data is that they are doing the PCI equivalent of juggling razor blades. The PCI team must challenge why they are keeping the data in the first place. Merchants need to be sure they are not storing any sensitive authentication data like the security codes. Then, merchants have to realize that they cannot dodge responsibility for securing the data at all times, including on the way to the shredder. That low-priced bidder is carrying the institution's reputation (and checkbook!), so merchants need to continue to treat the data as their own (which they are). Lastly, do me a favor and please check your Incident Response Plan so you don't issue the usual pandering press release. Telling your customer/victims how much you value them just sounds too much like the incongruous "your call is important to us" we hear as we enter customer service voice mail hell.
Paper cardholder data can be breached just as easily as electronic cardholder data. This is a good lesson. It may be painfully learned in some cases, but a good lesson nevertheless.