News

Kiosk security breach gives employees access to private info

April 13, 2011

A five-month breach in security at hospital kiosks in Massachusetts allowed employees access to one another's personal pay stub information.

According to a story in the Telegram, UMass Memorial Healthcare, the largest health-care system in Central and Western Massachusetts, learned March 10 that at 10 kiosks where employees could view their pay stub information, subsequent users were able to access the information of previous users, said Rob Brogna, UMass Memorial spokesman. Upon confirming the problem, UMass Memorial removed the kiosks from use.

The day after the breach was discovered, UMass Memorial applied a system-wide software change to disable the pertinent setting on the organization's HRConnect application, Brogna said in the interview. On March 16, the direct deposit bank account number was redacted from the information on HRConnect, and subsequently the 10 kiosks were returned to the campuses for employee use.

The personal information potentially exposed included the employee's name, bank name, bank transit number and bank account number. The breach did not involve employee Social Security numbers or medical record or patient information, according to the story. 

UMass Memorial has no reason to believe that any of the personal information on HRConnect has been misused, according to Brogna, but the company is notifying all potentially affected employees of the incident.

The organization is offering potentially affected employees reimbursement of the costs to institute a security freeze with the three national credit reporting agencies and is offering one year of free credit monitoring through TransUnion Interactive, according to the story.

How do you keep your kiosk system secure? Leave your comments below.