Skip to main content

Table 23 Information needed in the event of a security breach.

From: Security and privacy requirements for a multi-institutional cancer research data grid: an interview-based study

Information Needed in the Event of a Security Breach
Name(s) of individual(s) responsible
Who funded the project?
Description of the project for which the data was accessed?
Data Accessed
Description of data accessed
Risk level of data
How many patients/participants/subjects were affected?
Were any identifiers present in the data?
Was any data modified – Is the integrity of the data still intact?
Dates of access
What period of time did the data cover?
Was data re-identified?
Where (physically) did the breach take place?
How many times was the data accessed?
Was the data accessed by more than one individual?
Was data made publicly available (for example on a public website)?
What state did the security breach occur in?
Were SSNs or other financial information released?
What discipline was provided at home institution?
Who was responsible for maintaining security of data?
How was the incident discovered?
Who discovered the incident?
What was the chain of reporting once the incident was discovered?
Was there a failure on the part of the local institution?
What oversight did caBIG governance have over matter?
Was there an unaffiliated investigator agreement in place?
  1. Scenario 3 – Question 17. Respondents included individuals from all organizational roles. Data was aggregated with interview statement as the unit of analysis.