Our DLP policies have been turned on for a little more than a week and I was reviewing the report to see what types of information are being flagged. There are quite a few that show the SensitiveInformationType as an ICD-10-CM flag (Screenshot 1). I reviewed the DlpCompliancePolicy (U.S.A Financial Data) that it's being detected in, but I don't see anything monitoring for ICD-10 (Screenshot 2).
According to our policy (USA Financial Data) and the compliance rule (Low volume of content detected in USA Financial Data), shouldn't this policy only be monitoring for CC#, US Bank Acct. #, and ABA Routing #? If so, why is the report showing flags for ICD-10? If not, where would I see the additional monitoring for ICD-10? I haven't found anything in mail flows either that would suggest it's monitoring for ICD-10 terms.