A privacy incident is any event that has resulted in (or could result in) unauthorized use or disclosure of PHI or PII data.
Page Contents
If you suspect a data incident has occurred please complete the following steps immediately
Stop all work
Call 802.369.9544 to report the incident to the DAC Primary Data Custodian, Sean McNamara
If the DAC Primary Data Custodian is unreachable, call 734.649.1874 to report the incident to the DAC Interim Director, Nancy Birkmeyer.
If unable to reach the DAC by phone, click on the below button to submit an email to the DAC, which will send notifications directly to the DAC Incident Response Team. A representative will respond to your report as soon as possible.
Reportable Data Incident Examples
- Sending, receiving, or sharing any unsuppressed PHI or PII data outside of the DAC Servers (e.g., in an email, taking screen shots, writing the information on paper, discussing with a colleague, or any other form of communication)
- DAC Servers being accessed through a computer that was not reviewed for DAC security requirements and approved by Dartmouth computing, or unapproved use of a computer by someone other than the owner
- Screen sharing of the DAC Servers with an unauthorized user
- Screen sharing of the DAC Servers on any virtual meeting platform (even with an authorized user)
- Accessing and/or disclosing PHI or PII data outside the purview of work requirements (i.e., records of a family member, friend, or celebrity)
- Loss, damage, theft, improper disposal of equipment, media, or papers containing PHI or PII data
*Note these are just a few examples of the many different ways data can be breached resulting in a reportable incident.
Unapproved Data Sharing
- No data is allowed to be removed from the DAC IS by any DAC user
- Use of Web Tools (e.g., Zoom, WebEx, MS Teams, etc.) are NOT allowed for sharing or displaying any data held in the DAC Servers
- A DAC user can NOT work with, or in any way communicate about, unsuppressed PHI or PII data outside of the DAC IS.
The only acceptable action that can be taken with unsuppressed data is an authorized user logging into the DAC IS and looking at the data.
Reporting Requirements
It is imperative for both the user and the DAC to respond appropriately and in a timely manner in the event of a suspected data incident.
- A suspected incident must be reported immediately to the DAC Primary Data Custodian
- The DAC must complete due diligence as quickly as possible to determine if the incident is reportable to CMS.
- Upon confirmation of a reportable incident, the DAC must report to CMS within 1 hour.
See Section 14 of the CMS RIF DUA for information about Criminal Penalties for an unauthorized disclosure.
Impact of Data Incident Examples
- All DAC researchers are affected
- CMS required submission of a formal response
- Notification to Dartmouth College Office of General Counsel
- CMS required submission of a corrective action plan
- Freezing of CMS data access for all DAC CMS DUAs
- Return or destruction of data files
*Note these are just a few examples of the many ways a data breach/incident can impact the DAC and its researchers.
Data Incident Response Team
- DAC Primary Data Custodian, Sean McNamara
- DAC Interim Director, Nancy Birkmeyer
- DAC Assistant Director, Monica Adams-Foster
- DAC Technical Project Director, Sukdith Punjasthitkul
- DAC Research Programmer Analyst II, Ashleigh King
- Dartmouth Information Security
- Geisel Computing
- General Counsel
- TDI Director