On March 22, Urology Austin became the second medical company to suffer from a major breach. It was a particularly nasty one, combining data theft with a ransomware attack that impacted more than a quarter million users.
To its credit, the company took immediate, decisive action. It ensured that no one’s care was impacted and notified affected users, offering them a year’s worth of free credit and identity monitoring. Unfortunately, the breach underscored a weakness that often goes unnoticed.
When the company announced the breach, they indicated that the hackers were able to get their hands on a large amount of legacy data. That is data pertaining to patients who had not received care from the facility in years, but which was still stored on company servers.
This raises a delicate and troubling question.
Once a company has completed a given course of treatment for a patient, how long should it keep the digital records? A year? Seven years? Forever?
There are currently no standards in place, but given how cheap bulk storage has become, companies have simply defaulted to the position of keeping every scrap of data forever, and that can have unfortunate consequences as this latest breach demonstrates.
Some security experts have put forth the notion that one thing companies could do if they’re inclined to keep data for extended periods of time is to “de-identify” it. That means they should strip out any and all data that could conclusively pair it to a specific individual, but keep the treatment data itself for research purposes.
This is not widely done anywhere at this point, but it’s an idea that makes sense, if companies insist on keeping data long term.
There are no easy solutions here. On one hand, the day will surely come that a company deletes some information only to find out that it has a pressing need for it and no way to recover it. Or, on the other hand, a company will suffer a catastrophic breach that impacts years, or even decades’ worth of data with ruinous financial consequences.
How long do you keep client data, and do you have a well-defined policy that covers the subject? If you don’t, now is the time to change that.