A privacy incident is any event that has resulted in (or could result in) unauthorized use or disclosure of PHI or PII data.
Page Contents
If you suspect a data incident has occurred please complete the following steps immediately
Stop all work
Call 802.369.9544 to report the incident to the Primary Data Custodian, Sean McNamara
If the Primary Data Custodian is unreachable, call 603.646.9650 to report the incident to the Director Research Cyberinfrastructure, Elijah Gagne.
If unable to reach either of these people by phone, click on the below button to submit an email which will send notifications directly to all Data Incident Response Team members. A representative will respond to your report as soon as possible.
Reportable Data Incident Examples
- Sending, receiving, or sharing any unsuppressed PHI or PII data outside of Granite (e.g., in an email, taking screen shots, writing the information on paper, discussing with a colleague, or any other form of communication).
- Accessing Granite through a computer that was not reviewed for security requirements and approved by Dartmouth computing, or unapproved use of a computer by someone other than the owner.
- Screen sharing while accessing Granite with an unauthorized user.
- Screen sharing while accessing Granite on any virtual meeting platform (even with an authorized user).
- Accessing and/or disclosing PHI or PII data outside the purview of work requirements (i.e., records of a family member, friend, or celebrity).
- Loss, damage, theft, improper disposal of equipment, media, or papers containing PHI or PII data.
*Note these are just a few examples of the many different ways data can be breached resulting in a reportable incident.
Unapproved Data Sharing
- No data (even suppressed) is ever allowed to be removed from Granite by a user.
- Use of Web Tools (e.g., Zoom, WebEx, MS Teams, etc.) are NOT allowed for sharing or displaying any data held in Granite.
- A user can NOT work with, or in any way communicate about, unsuppressed PHI or PII data outside of Granite.
The only acceptable action that can be taken with unsuppressed data is an authorized user logging into Granite and looking at the data.
Reporting Requirements
It is imperative for both the user, principal investigator, and Dartmouth departments to respond appropriately and in a timely manner in the event of a suspected data incident.
- A suspected incident must be reported immediately to the Primary Data Custodian, Sean McNamara 802.369.9544.
- Dartmouth departments must complete due diligence as quickly as possible to determine if the incident is reportable to CMS.
- Upon confirmation of a reportable incident, the Dartmouth department must report to CMS within 1 hour.
See Section 14 of the CMS RIF DUA for information about Criminal Penalties for an unauthorized disclosure.
Impact of Data Incident Examples
- All Dartmouth researchers with an active DUA are affected
- CMS required submission of a formal response
- Notification to Dartmouth College Office of General Counsel
- CMS required submission of a corrective action plan (CAP)
- Freezing of CMS data access for all CMS DUAs in Granite
- Return or destruction of data files
*Note these are just a few examples of the many ways a data breach/incident can impact the DAC and its researchers.
Data Incident Response Team
- Information, Technology, & Consulting & Research Computing
- Sean McNamara - Primary Data Custodian - Chief Information Security Officer
- Sam Fielder, IT Security Engineer
- Research Cyberinfrastructure
- Elijah Gagne, Director
- Sukie Punjasthitkul, Data Security Manager
- Ayuk Makia Ayuk Tabe, Research System Engineer
- The Dartmouth Institute
- Amber Barnato - Data Owner - TDI Director
- Ashleigh Erickson, TDI Research Programmer
- Office of Sponsored Projects
- TBD - Incident Response Oversight
- Geisel IT
- Stephen McAllister, Director
- Brian Dellinger, Associate Director
- Dartmouth
- Tammy Hickox, Associate General Counsel
- Wes Benbow, Executive Dean for Administration & Finance