Theft of memory sticks—the USB kind, I guess—account for the data breach of more than 6000 patients in Hong Kong public hospitals.  In the past year, nine memory sticks have been stolen from five hospitals.  A task force is being set up to investigate the security issue, and will recommend solutions in three months to avoid recurrences.

According to the Hospital Authority chief executive Shane Solomon, the small data storage devices were stolen not because of the data they contained, but because of the intrinsic value of the devices.  This assessment comes from the fact that the patient data has not shown up anywhere to date.  Of course, some would point out that this is a fallacy in reasoning, since there is no need for that information to show up.  After all, patient information doesn’t have an expiration date.  Whether the patient information shows up one year after the breach of five years afterwards (or much later) depends on the criminals’ intentions.

Of the 6000 cases, 2000 were encrypted and 3000 contained patient data without any identifiers.  That leaves about 1000 cases where the patient information was not protected and has personal identifiers.

What’s galling about the entire thing is that Solomon doesn’t have the right mindset about this incident.  I don’t think he would say that thefts were not a problem; far from it.  However, he has been quoted as saying that this “is not a matter of staff negligence…It is a matter of people seeing a USB stick sitting around in a computer and thinking ‘I’ll take that, thank you very much.’”  I have to applaud him for standing by his people, but I would argue that his staff was negligent.

Would it be negligence if a nurse left a vial of tuberculosis agent by a computer and someone snatched it?  How about a syringe full of blood?  The answer would be an unequivocal yes.  What if a brand new, empty vial delivered fresh from the factory were left by a computer and that got stolen?  How about an unopened syringe with no needle?  The answer would be no; it wouldn’t even be an issue.

A lost USB drive is not an issue if patient information is not stored on it; otherwise, the loss of a USB drive is negligence.  Would Mr. Solomon have drawn the same conclusion if hospital staff had left a bunch of patient files lying around without supervision, and someone had filched the files because he really, really needed some manila folders?  Of course not.  The fact that outsiders decided to commit a crime of opportunity does not negate nor relieve the hospital staff from the fact they were acting negligently when it came to patient files.  And so one should apply the same logic to its electronic equivalent, since a USB device is nothing but a compact, energy sipping manila folder for the twenty‑first century.

Obviously, someone other than the chief executive was in charge of data security, because someone had the mind to encrypt data when they had the chance.  It’s a shame that they weren’t able to extend this to all USB sticks, most probably because the thefts occurred across a number of hospitals.  If they had AlertBoot, they could have used the internet and AlertBoot’s USB drive encryption to secure the data on those devices, as well as securing the contents of computers.  Those can be stolen, too, when staff are not paying attention.  It would be wise to secure their contents with full disk encryption.