Claims Handling Security Risks: Document Management

By Sean Cassidy, Vice President – Sales & Marketing, Benchmark Independent Medical Examinations

Toronto, ON (Nov. 4, 2015) – Each year, computers, operating systems, and the associated software that is running on them become more and more sophisticated. However, the unfortunate reality is that individuals and groups with malicious intent are equally sophisticated, and in some respects data handled in a traditional manner is less secure now than it was even two years ago.

This challenge is not restricted to smaller companies with less IT knowledge and fewer security resources. For example, UPS (United Parcel Service) reported a data breach leading to the potential theft of customer debit and credit card information. JP Morgan Chase, the largest US bank, recently acknowledged a massive data breach that affected 76 million households and 7 million small businesses – customer names, phone numbers, and email addresses among other personal details were all exposed. Probably the most highly publicized data breach was Sony’s recent incident that resulted in five unreleased movies leaked, 47 thousand social security numbers stolen, and all the personal data of approximately 15 thousand current or former employees.

As a result, any company or individual in the insurance industry, particularly those on the property and casualty side handling sensitive health care information need to be highly aware and cautious of potential security exposures. Below we will discuss some of the most common areas of concern.

Fax Machines

Fax machines are actually a much larger risk than many people realize and the reality is that they are still heavily used, particularly in casualty claims management such as accident benefits. There are several issues with fax machines, including something as simple as the machine’s location. A fax machine sitting in a common area, such as a hallway or copy room, is a potential exposure because of how easily accessible the information is. Even if there is no intent to access sensitive data, simple mix-ups such as fax piggy-backing (one page mixed in with another fax) or the mixing up of large piles of faxes can lead to unintended theft and potential distribution of the information to the wrong parties.

There can also be “with intent” risks where a guest, maintenance person, or any other person who happens to be in the office can walk past the machine and conveniently grab sensitive information in an inconspicuous manner. Traditional fax machines will also automatically continue to try sending numerous times and a fax sent near the end of the work day may not end up at the recipient’s destination until after hours and could be accessible to curious cleaning staff in the evening.

Finally, the fax machine is actually a risk in itself because, since 2002, most fax machines have been equipped with a hard drive that stores an image of every document ever scanned, copied, or faxed, and thousands of these machines end up in garbage dumps or electronics recycling yards with the hard drive still intact and unwiped. As a result, it is important to pay attention to the location of your fax machine, be diligent with preventing accidental mixing of faxes, and always destroy the hard drive of the machine prior to recycling.


Email is also a communication method that has elements of risk and the usage of email needs to be closely evaluated. It is unclear if email communication is compliant with PIPEDA or PHIPA and if it is what mechanisms need to be undertaken – such as permanently storing the email – as proof of compliance. In addition to the lost productivity email generates due to spam, personal email, and potential viruses, most confidentiality breaches come from within a company and email is one of the major vehicles for this transfer of data. The breaches can be accidental, but also can be intentional and uncontrolled email makes these types of breaches unnervingly all too common.

Email is also, generally, a free-form method of communication, and damage to a company’s reputation can result from unprofessionally written emails or even employees that do not respond to their emails in a timely fashion when addressing client issues and inquiries.

The other major challenge with email is the pure technical security threat that it presents; an email travels through many routers and servers on the web on its way to the recipient and is inherently vulnerable to both physical and virtual eavesdropping. Current industry standards do not place an emphasis on security, and information is transferred in plain text, leaving a digital paper trail on the many servers it passes through that can easily be inspected months or years later by a curious third party. Email has its place and isn’t going to go away any time soon but for professional communication on sensitive topics, such as accident benefit claim files, email is certainly not an ideal tool.


Even your own computer and network presents potential security risks such as file shadow copies, temporary files, and data remanence which leaves a residual representation of all data on the hard drive even after data has been erased or written over. The list of potential security threats is nearly endless and it’s time to acknowledge the futility of focusing solely on defending impregnable data fortresses and equipping remote computers with antivirus and group policy rules. While this is still important, alone it is no longer enough. Next week we will look at practical solutions that can proactively address these security concerns while improving efficiency at the same time.

About the Author

Sean has been active in the insurance claims handling space in various capacities since 1997 and was one of the pioneers of Canada’s first online claims management system launched in 1999. Sean has expertise in claims, claims process improvement, vendor programs, claims IT systems, and document management. He enjoys working with insurance companies to tie all of these components together with their various systems and processes in order to arrive at the ideal combination customized to an insurer’s own unique needs. Sean joined Benchmark IME in December of 2013 and is putting his experience, coupled with Benchmark’s advanced technological capabilities, to work to improve the AB claim workflow for insurers in Canada.

Sean can be reached at [email protected].

About Benchmark

Technology-driven, person-centered philosophy, and privately-owned and operated by a Regulated Healthcare Practitioner – we only provide Independent Medical Examinations (IME). Benchmark provides a comprehensive range of IME with national coverage to Property and Casualty Insurers, Group Life and Health Insurers, Government, Employers, and the legal community. Benchmark is CARF accredited and has a management process that is ISO 9001:2008 certified.

Source: Benchmark IME