According to the letter sent out by Drs. Gangwish and Morgan at the Summer Avenue Chiropractic clinic, thieves broke into the clinic and stole computers that contained the information of patients, including names, addresses, dates of birth, and Social Security numbers. But, there’s no need to worry since the information was encrypted. But, as a precaution, patients ought to keep an eye out for any unusual activity on their credit reports. This was the gist of the letter.
The actual letter, however, is a bit cringe-worthy. To begin with, it reads like the good messieurs didn’t spend too much time learning how to spell or write prose worthy of doctors. Unfortunately, perception always matters, and in this case, the letter (not the content of the letter, but the style and choice of words) makes one wonder whether they actually know what they’re talking about. The words lack that ambience of professionalism that one expects from PR folk. On the other hand, it’s very refreshing since it’s so to-the-point. I can’t find any instance of double-speak, for example. Maybe it’s the ultimate PR campaign: PR that doesn’t sound like PR.
I can’t say I share The Breach Blog’s observations in this particular instance. For example, it looks like the thieves were not initially targeting the chiropractor’s office, but the RadioShack next to it. The thieves decided that going through the chiropractor’s office was the easiest route into the RadioShack. When it turned out that was not the case, they stole what they could. Nobody likes to leave empty-handed. They returned later to successfully break in to their primary objective. This is what The Breach Blog had to say:
Good secure construction. If I owned a business that created, collected or stored sensitive information, I would establish an office where I was the only business in the building or in a building that was adequately segregated from other businesses. One of the segregation criteria would be walls that do not allow adjacent access. Check this when evaluating an office space for adequate physical security. Too often it is over-looked.
Maybe it’s just me, but I’d imagine that encryption was used by these guys because they figured they couldn’t control stuff like this. While I can’t and won’t argue that secure premises are a bad thing for security—how would that even make sense?—businesses have other considerations besides data security as a priority. It doesn’t make sense to match businesses to what one perceives to be the correct security needs. You match the security needs to the business. So, if the walls are not strong enough for the perfect business venue, you find some other way to protect the data. These guys found it in encryption to protect the data.
To me, the telling sentence in this notification is "I was very much HIPPA compliant and the good thing is that everything was encrypted and had strong pass codes." I would want more information. I notice the word "was" which is past tense. I notice "HIPPA" which is really meant to be "HIPAA". I notice "everything was encrypted", which has been questioned.Affected patients should certainly ask for more detail.
At this point, this is just nit-picking. Between the above and the sarcastic words of “Now how about HIPAA compliant?” to the chiropractor’s typo, I wonder if the blogger was having a bad day. I keep being reminded of Nick Burns, your company’s computer guy, aka Jimmy Fallon with a bad mustache.
They had encrypted the patients’ information (see what I did there? Had?). What more is needed? They certainly could have done a lot worse, like not having any true data security measures, and stating that they “don’t have any evidence that the computers were stolen for their content” as an excuse. Is not using spell check such a big deal in light of the circumstances? Should I think less of a paramedic who’s saved someone’s life because his belt doesn’t match his shoes?
Besides, all the L337 |-|aXor5 know that the worse you spell, the better you are at computer security…. Ever read TJX’s announcement of their massive data breach? It reads so well, with proper grammar and spelling. So professional. Too bad they couldn’t do anything about people committing fraud with the stolen credit card info.
I’ll always choose a guy with half a brain and bad writing who takes the time to implement adequate data security over a bunch of guys sharing half a brain who don’t. Anytime.
Related Articles:
http://breachblog.com/2008/09/16/summerave.aspx