Data breaches happen. Just last week, the livestreaming video game site Twitch reported a massive data leak that included the platform’s source code, as well as payments made to thousands of streamers. Awkward.
For all the effort we put into concocting cryptic passwords, layering in multi-factor authentication, and sending you high-risk data attestations more often than you’d like, sometimes sensitive data gets out.
So, you may be wondering, what kind of data is considered “high risk?” And what should you do if high-risk data has been compromised?
What is high-risk data?
Here at Weill Cornell Medicine, high-risk data is anything that could have a significant adverse impact on WCM’s safety, finances or reputation if it was disclosed. That includes:
- Protected health information (PHI)
- Personally identifiable information (PII), like social security numbers
- Financial data
- Employment records
- Research data involving human subjects
- User accounts or system passwords
For a detailed overview of high-risk data, check out our Data Classification policy.
What do you do if there’s been a data breach?
If you suspect the confidentiality or availability of high-risk data has been compromised, you should tell your supervisor, and report it right away to the ITS department, the Privacy Office, or WCM ITS Security:
- ITS Support: 212-746-4878, support@med.cornell.edu
- WCM Privacy Office: 646-962-6930, privacy@med.cornell.edu
- WCM ITS Security: 646-962-3010, its-security@med.cornell.edu
What types of data breach incidents should be reported?
There are many types of breaches that can occur and should be reported, including:
- Patient information is disclosed
- Medical documents are misplaced or exposed
- A device with WCM data is lost or stolen
- A system or user account gets infected with malware or phishing
- A system is accessed without proper authorization
Once you report a data breach, the incident is investigated and categorized, and a response effort begins to help mitigate the damage. You can read the full details in our Security and Privacy Incident Response Plan.
Did you try our pop quiz yet?
Try our 10-question pop quiz on cybersecurity. We’ll announce some winners on Oct. 15.
October is National Cybersecurity Awareness Month, an annual collaborative effort between government and industry to ensure we have the resources you need to maintain your security online. Throughout October, we’ll be sending you tips on protecting your information and avoiding malicious attempts to extract your personal data. See our past tips here.