Washington State University recently found itself on the hook for around $4.7 million in a class-action, data-breach lawsuit.

In April 2017, a self-storage facility used by WSU was broken into and a small safe was stolen. Unfortunately the safe contained a backup hard drive loaded with the personal data of more than one million people. The stolen hard drive contained confidential research data collected by WSU researchers, including social security numbers, private medical records, and other sensitive information.

Rather than storing the backup drive in a secure location, WSU chose a public self-storage facility–the sort of place where you might store old furniture or items that don’t seem to fit in your garage anymore. Although the hard drive was securely locked in a safe within the storage unit, the safe was a small portable unit that could easily be transported by an ambitious thief.

While WSU maintains that none of the confidential data has been used by the thieves, many of those exposed beg to differ. But, the fact is: a lot of sensitive information is out there as a direct result of the theft, potentially exposing over a million individuals to identity theft and the misuse of their personal information.

In exchange for their blunder, WSU is paying a heavy price.

WSU has not only paid dearly in insurance payouts and legal fees, they’re now paying out a large settlement to those affected by the breach. It didn’t take long for the victims of the data breach to file a class-action lawsuit against the university with many claiming that they were unaware WSU had even collected their information. The claimants also argue that WSU did not properly secure the data by storing it in a public-storage center.

WSU has agreed to compensate claimants for their time and potential damages incurred by the data breach. Ultimately, the total cost of the breach is dependent on the number of people that come forward.

As an added measure of security, the university has agreed to destroy any remaining records associated with the breach and to maintain future records entirely in-house rather than storing sensitive information off campus in potentially vulnerable locations. The university also plans to increase data security overall with improved encryption methods and policies that will ensure that data is handled and stored in a more secure manner.

WSU’s experience is an excellent example of what not to do with sensitive personal data. Although none of the victims in this case were subjected to any substantial data-theft damages, the university is paying a particularly heavy toll for a situation that could have been easily–and inexpensively–avoided.

Learn from WSU’s missteps and ensure that your patients’ data is securely stored. HIPAAgps is here to help you understand how to safely–and legally–deal with important patient information. Try our 7-day, Risk-Free trial today.