“Most hospitals don’t know all the data breaches they have,” says Mac McMillan, current chair of the privacy and security task force at the Healthcare Information and Management Systems Society. He had very recently worked with a large hospital system that inadvertently provided a patient online access to another patient’s record as the result of an administrative error. The hospital wouldn’t have known about the error had the patient not called to let them know, he says.

“That’s still where we are today — a lot of hospitals don’t find out they’ve had a breach until someone tells them,” says Mr. McMillan. Therefore, “from a strategic perspective, data protection has to be a combination of user awareness and reaction to incidents, and how we handle information management going forward.”

Brett Short, chief compliance officer at the University of Kentucky’s Chandler Medical Center in Lexington, has made a point of urging all medical center employees to report any potential breach. This year’s employee training has emphasized teaching employees to identify circumstances that could result in compromised data, and report all such instances to his office for further investigation. Learn more here.