Data Classification Training for Employees
An account manager at a healthcare company needed to share patient outcome data with a prospective partner. She opened the company’s analytics dashboard, exported a CSV, and emailed it to the partner’s Gmail address. The export included patient names, treatment dates, and billing codes. She did not realize any of this was in the file. She had only wanted the aggregate numbers.
The company discovered the incident two weeks later during a routine DLP review. By then, the email had been forwarded internally at the partner organization. HIPAA breach notification was required. Legal costs, remediation, and fines totaled over $200,000. All because one employee could not tell the difference between aggregate statistics and protected health information in a spreadsheet.
This type of incident happens constantly. Not because employees are careless, but because nobody taught them how to look at data and ask: “What am I actually holding?”