The Personal Data Protection Commission (the “Commission”) received a data breach notification on 22 September 2020 from Assisi Hospice (“Assisi”). Assisi had disclosed personal data of its patients (“Patients”) via 43 separate emails (“Emails”) sent erroneously to a single unintended external party from January to September 2020. The aforesaid personal data was contained in a list set out in an Excel spreadsheet (“List”) attached to the Emails and updated periodically. The List was meant to serve as easy reference for after hours on-call employees, especially if there are difficulties in accessing Patients’ data, such as when the system containing the electronic patients’ record is undergoing maintenance.
The List included the names, addresses, contact numbers, NRIC numbers and disease classifications of 1593 Patients (cumulative number over the 43 occasions). The disease classifications are referenced from the International Classification of Diseases.
It was established that the disclosure occurred due to an Assisi employee sending the Emails to an erroneous email address belonging to an external party. Notably, the erroneous email address was not an official work email account. The said employee had also not followed Assisi’s existing personal data protection policy to password protect the List.
After the incident, as part of the remediation plan, Assisi:
(a) ceased the practice of distributing a soft-copy List containing personal data of the Patients to its after hours on-call employees (including via emails) and required such employees to refer to the electronic patient records instead;
(b) reminded all employees to password protect email attachments containing personal data and to send the password in a separate channel or email thereafter. Where an email has no attachment, employees were required to mask personal data in the email body itself;
(c) reminded all employees to use only work email accounts for communication of work-related items, and not to send any email containing sensitive and/or confidential data to non-work email accounts; and
(d) reviewed every department’s work processes in relation to the management of personal data. Its data protection officer would also commence sending emails on a quarterly basis to remind its employees of the existing personal data protection policies.
Having considered the circumstances of the case, including the remedial steps taken by Assisi to improve its personal data protection practices, the Commission accepted an undertaking from Assisi to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 16 December 2020 (the “Undertaking”).
The Undertaking provided that Assisi was to complete the implementation of its remediation plan, that is to set alerts in its email system to alert the sender whenever there is sensitive information like a NRIC number or FIN in the email body and/or whenever there is a NRIC number or FIN in an attachment that is not password protected.Assisi has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Assisi has complied with the terms of the Undertaking.
Please click here to view the Undertaking.