Helping organizations audit what personal data they hold and understand why minimizing it reduces risk

In January 2025, a nonprofit healthcare provider in Connecticut, Community Health Center (CHC), disclosed that a hacker had stolen the personal data of more than one million patients. The breach started in October 2024 and went undetected for months. The stolen information included names, Social Security numbers, dates of birth, diagnoses, treatment details, and health insurance information. Even people who had simply come in for a COVID test had their data taken.

Was all of that data truly necessary for a 15-minute test? Probably not necessary but it is generally collected and stored. When the breach of CHC happened it was stolen. CHC now faces class-action lawsuits, regulatory scrutiny, and the enormous cost of notifying over a million people. This doesn’t just happen to large healthcare systems. If your medical practice, law office, accountancy, ministry, or nonprofit collects personal information, you need to ask:

Are we holding more data than we actually need?

Why This Matters

You can’t lose what you don’t have. If a hacker breaks into your system, the damage is directly related to what they find. More data means greater breach impact, more regulatory exposure, higher legal liability, deeper reputational damage, and more expensive recovery. For most organizations trust and reputation is everything. A breach that exposes financial records, health details, or family information can shatter that trust in ways that are very hard to repair.

What You Can Do About It

While a data audit sounds completed, it doesn’t have to be. You can start with these four steps…

1. Know where personal data lives. Walk through every system, cloud service, email account, and filing cabinet. Organizational management software, donor platforms, financial records, patient intake forms, legal documents, shared drives, and old hardware are all common places where sensitive data accumulates without anyone realizing it.
2. Ask the hard questions. Why do we have this? Do we still need it? Could we accomplish the same purpose with less? Who has access? Is it stored securely? And remember to comply with your records retention policies and any regulatory requirements.
3. Reduce your footprint. Securely delete what you no longer need. Remove unnecessary fields from your forms. If you don’t need a Social Security number, don’t ask for one.
4. Protect what remains. Limit access to those who genuinely need it. Encrypt sensitive data. If you don’t have one, create a retention policy that defines how long you keep data and when you destroy it. And train your staff and volunteers on why this matters and how they can help protect the information.

The Bottom Line

Every piece of personal data your organization holds is both a responsibility and a potential liability. One very effective thing you can do to reduce your risk is to reduce your data. Taking these steps won’t eliminate every threat, but they will significantly reduce the long term impact if an attack occurs. That could be the difference between a manageable incident and a crisis that threatens the future of your organization.

Not sure where to begin? SureDefense Strategies helps small and medium sized businesses navigate cybersecurity challenges with clear, actionable guidance. Contact us today to take the next step.

Need some references for info on CHC?
[1] HIPAA Journal – Community Health Center Data Breach (February 2025): https://www.hipaajournal.com/community-health-center-data-breach/
[2] Hartford Business Journal – Community Health Center Inc. faces lawsuits over data breach (March 2025): https://hartfordbusiness.com/article/community-health-center-inc-faces-lawsuits-over-data-breach/