Swedish Hospital Employee Data Breach

We received one of the “nearly 20,000″ letters sent out by Swedish Medical Center in Seattle offering free credit monitoring services to employees and former employees whose personal information may have been compromised.  What first caught my eye is that the letter (and a Seattle Times article, but not a Swedish press release) stated that the security breach affected employees who worked for Swedish during all or part of 1994, 1995, 2002, 2003, and 2004.  Our employee relationship with Swedish ended in 1990.

I telephoned the Swedish “Privacy Department.”  The telephone number for the Privacy Department is not listed online, but the main switchboard transferred me, no questions asked.  I told an answering machine that I had some questions about the accidental disclosure of employee data.  My call was returned within a couple of hours, but the nice lady was not able to answer my specific question: Why did we receive the letter if we are not a member of the affected group? However, she did offer to try to find out and call me back.  She called back about an hour later and the answer was, “My boss told me that some employees from 1990 were also affected.”  Her boss, it turns out, is the Swedish Medical Center Privacy Officer, the signer of the letter.  I asked if Swedish is going to issue a new press release stating that employees during additional years may have been affected by the security breach.  She mumbled something that sounded like, “Yes.”

Why did we receive the letter?  Did Swedish send letters to all current and former employees?  Does 19,799 equal the total number of all current and former Swedish employees, or does it equal the number of Swedish employees during the affected years.  Why would Swedish send the letter to non-affected employees?  Why did Swedish apparently alter the text of their July 20, 2011, online press release to eliminate the listing of affected years?  Does Swedish have a business relationship with the provider of the credit monitoring?  Yes, Swedish is footing the bill for the credit monitoring, but for how long?  One year, after which the credit monitoring service potentially has a new paying customer?  Could the benefit to Swedish of such a business relationship with the credit monitoring service really out-weigh the cost to Swedish, as measured in the loss of good-will incurred by subjecting current and former Swedish employees to this advertising scheme?

July 20, 2011, Swedish press release
July 20, 2011, Seattle Times article
Apparent alternate text of Swedish press release

Comments are closed.