Table 23 Information needed in the event of a security breach.
Information Needed in the Event of a Security Breach |
|---|
Investigator |
Name(s) of individual(s) responsible |
Who funded the project? |
Description of the project for which the data was accessed? |
Data Accessed |
Description of data accessed |
Risk level of data |
How many patients/participants/subjects were affected? |
Were any identifiers present in the data? |
Was any data modified – Is the integrity of the data still intact? |
Dates of access |
What period of time did the data cover? |
Incident |
Was data re-identified? |
Where (physically) did the breach take place? |
How many times was the data accessed? |
Was the data accessed by more than one individual? |
Was data made publicly available (for example on a public website)? |
What state did the security breach occur in? |
Were SSNs or other financial information released? |
Management |
What discipline was provided at home institution? |
Who was responsible for maintaining security of data? |
How was the incident discovered? |
Who discovered the incident? |
What was the chain of reporting once the incident was discovered? |
Was there a failure on the part of the local institution? |
What oversight did caBIG governance have over matter? |
Was there an unaffiliated investigator agreement in place? |