The lesson here is to be aware of how you build, and where you post, graphs containing real data about customers, patients or employees.
The personal and medical data of a still-undisclosed number of Memorial Sloan-Kettering Cancer Center (MSKCC) patients in New York City was accidentally posted on the Internet and accessible for more than six years before being detected in April.
Patients were notified by letter in mid-June. The letter to patients reads, "In 2005 MSKCC staff created graphs that were included in a presentation for physicians and medical researchers. Private information was hidden behind the graphs. The MSKCC staff person who prepared the presentation was not aware that the private information was embedded in this way. This information included your name, date of birth, medical record number, dates of treatment, and some clinical data including treatment information."
The letter continues, "No financial data or Social Security number was included in this incident. The hidden data would not have been visible to individuals viewing the presentation in a routine way. However, a person who accessed the presentation could manipulate the graphs to reveal the private information."