Good companies care about their employees. Sadly, a recent article in the Harvard Business Review, supports the old admonition that we “always hurt the one we love.” So while it’s nice that businesses want to keep their workers fit, employee wellness programs may actually pose risks to the healthcare data of those very employees.
About two-thirds of American workers have the opportunity to take part in a wellness program provided by their employer. For workers at companies with more than 200 employees, it’s more like 99%. What constitutes a wellness program isn’t really spelled out; it could be anything from morning calisthenics to subsidized gym memberships to smoking-cessation programs. The important thing is that companies usually want to track employee involvement, and it’s almost certain those records will be kept electronically.
If the scope of your wellness program is 45 seconds of stretching exercises at your desk just before polishing off a glazed donut with coffee, you probably don’t have a lot to worry about. (At least not regarding your data.) But if your program requires you to enter personal information-and especially if a third-party vendor is involved-the risk level can go up significantly. Here’s why:
- Big numbers make big targets for cyber criminals. Remember how almost all larger companies offer wellness programs? Size puts them in the crosshairs of hackers looking to steal valuable information. While a big company may be careful to protect financial records, trade information or personnel files, they might not give so much thought to information associated with wellness programs. Yet is it there that bad guys might find names, addresses, phone numbers, medical histories … just think about it. Once accessed, cybercriminals could exploit the information themselves or sell it to unscrupulous marketers.
- Your information may be up for sale-legally! You may have heard how laws like HIPAA and the ADA mandate privacy of your healthcare information. While these regulations do apply to employers or certain healthcare providers, vendors who offer wellness services are often exempt. So imagine this scenario: A company arranges for another business to provide and administer a wellness program. Workers sign up and provide lots of personal information (as the vendor obviously has their employer’s endorsement). The vendor provides the service as specified but can also legally sell the workers’ information to other marketers. Often neither the employer or employee have any idea this could happen! (Even if the vendor doesn’t sell customer data, how safe are they keeping it from hackers?)
What do we do? As for workers, the HBR article states, “Employees who wish to join a workplace wellness program should carefully read the consent forms for health data collection and make sure they understand what data will be collected and how it will be used – both by the third-party vendor and by the employer. Employees should demand assurances from their employer that their health data won’t affect any employment decisions. They should ask about the risk of their data being hacked or compromised and that their data be destroyed once they are no longer in the program.”
Due diligence is also incumbent upon employers. Remember, if you’re setting up a program to benefit your employees, they should be able to trust that their participation won’t cause them harm in any way. Here are a few steps:
- Create an information wall around the employee data, so there’s no possibility the company could access records (i.e. genetic or disability information) it might be tempted to use in making hiring or promotion decisions.
- Before arranging for third parties to administer a wellness program, make sure they have stringent protocols for protecting their customers (the employees) healthcare data.
- Make sure employees have the final say in the sale and transfer of their personal information.
- Ensure that employees are informed (with written consent) of any data risks before they’re allowed to join the company-sponsored wellness program.
Certainly, healthier employees are bound to be more productive, and there may be health insurance dividends to promoting worker wellness. But we also believe business owners and managers that spend many hours a day with loyal, resourceful and passionate people, genuinely care about staff welfare. If your company is promoting a data-involved wellness program, The SynchroNet Way can help keep employee records safe.
Are Your Cybersecurity Essentials Covered?
Don't wait until a threat strikes to protect your organization from cybersecurity breaches. Download our free cybersecurity essentials checklist and take the first step toward securing your digital assets.
With up-to-date information and a strategic plan, you can rest assured that your cybersecurity essentials are covered.
Get the Checklist
Posted in:
Share this