The Herts Advertiser is reporting that several laptops were stolen from West Herts Hospitals Trust, in separate incidents spanning two years, and could potentially affect around 2,000 patients. While on the surface the information security breach does not look like it is of grave importance to patients, the hospital seems to be taking it rather seriously. It may be a case of a little too late, though. If they had drive encryption software like AlertBoot installed on the laptops, it would have helped avert the need for their precautions.
According to hertsad.co.uk West Herts Hospitals Trust (WHHT) chief executive, Jan Filochowski, has explained that one of the laptops was stolen on March 2006, followed by another a year later, and a third on February 2008. That last incident, you'll note, was over one year ago. However, WHHT was notified of these thefts only last month. Since then, the health trust has sent out notification letters to all potentially-affected patients. Plus, processes have been reviewed (and changed, I imagine) to ensure that patient information cannot be retrieved over the phone. My guess is that this is an attempt to stop any attempts at social engineering. You see, the data that was stolen was not particularly sensitive (although I'm sure exceptions could be made to the contrary by someone).
According to hertsad.co.uk West Herts Hospitals Trust (WHHT) chief executive, Jan Filochowski, has explained that one of the laptops was stolen on March 2006, followed by another a year later, and a third on February 2008. That last incident, you'll note, was over one year ago.
However, WHHT was notified of these thefts only last month. Since then, the health trust has sent out notification letters to all potentially-affected patients. Plus, processes have been reviewed (and changed, I imagine) to ensure that patient information cannot be retrieved over the phone. My guess is that this is an attempt to stop any attempts at social engineering.
You see, the data that was stolen was not particularly sensitive (although I'm sure exceptions could be made to the contrary by someone).
Although a full list of the types of data on the stolen laptops was not made, it is pointed out that patients' hospital reference numbers and details of prescriptions were included. However, it identifies patients who received "orthotic services." I had to look up orthotic (hey, I’m not a doctor). It is the field "that is concerned with the design, development, fitting and manufacturing of orthoses, which are devices that support or correct musculoskeletal deformities and/or abnormalities of the human body." It may be sensitive stuff for the patients, but (and I know I'm being callous) it's not sensitive information. I mean, if you need orthotic devices, chances are it's not a condition you can easily hide. Everyone can see it, and if that's the case, you can't be blackmailed by it. And, the information itself can't be used for carrying out fraud. And I doubt it'd be of any value to anyone, unlike a list of health care ID numbers, so you can't sell the information. However, other data could be gleaned from it.
Although a full list of the types of data on the stolen laptops was not made, it is pointed out that patients' hospital reference numbers and details of prescriptions were included. However, it identifies patients who received "orthotic services."
I had to look up orthotic (hey, I’m not a doctor). It is the field "that is concerned with the design, development, fitting and manufacturing of orthoses, which are devices that support or correct musculoskeletal deformities and/or abnormalities of the human body."
It may be sensitive stuff for the patients, but (and I know I'm being callous) it's not sensitive information. I mean, if you need orthotic devices, chances are it's not a condition you can easily hide. Everyone can see it, and if that's the case, you can't be blackmailed by it.
And, the information itself can't be used for carrying out fraud. And I doubt it'd be of any value to anyone, unlike a list of health care ID numbers, so you can't sell the information.
However, other data could be gleaned from it.
Seeing how there is enough information to identify a patient, what the laptop thieves could do is use some of that information to get further, more financially-rewarding information. For example, if the patient name was included, I could call a phone operator, state "my name" and just start talking about the orthotic device that I'm using, how great it is, etc. This makes me sound like I'm actually the patient, and the patient history confirms the use of that orthotic device. Then, I ask for something innocuous-sound, like having a change of address for any future mail. That's it. As an identity thief, what I'm going to do is call later and ask the hospital to send me the last bill, health checkup, etc. Chances are those documents will hold details that can be used for perpetuating fraud, such as a national medical ID or a tax ID (perhaps both), and these will come to the updated address. Which is why WHHT did the paranoid (and correct) thing by reviewing phone processes.
Seeing how there is enough information to identify a patient, what the laptop thieves could do is use some of that information to get further, more financially-rewarding information.
For example, if the patient name was included, I could call a phone operator, state "my name" and just start talking about the orthotic device that I'm using, how great it is, etc. This makes me sound like I'm actually the patient, and the patient history confirms the use of that orthotic device. Then, I ask for something innocuous-sound, like having a change of address for any future mail. That's it.
As an identity thief, what I'm going to do is call later and ask the hospital to send me the last bill, health checkup, etc. Chances are those documents will hold details that can be used for perpetuating fraud, such as a national medical ID or a tax ID (perhaps both), and these will come to the updated address.
Which is why WHHT did the paranoid (and correct) thing by reviewing phone processes.
The only problem is that the laptops were stolen years ago, while the reviews (and any changes) were made in the past month. They say "better late than never" but my guess is that any potential illicit activities have been carried out already. It goes to show that data security is not something you want to consider after an information breach. I mean, you do want to think about it if you have an information security problem, and this is revealed via a data breach. However, the pragmatic thing to do is to consider the ramifications of a data breach before you actually have one, and put in the appropriate security measures beforehand. For example, if sensitive data is stored on laptops, and there is no effective method of protecting these laptops, then you may want to opt for encryption software to protect their contents.
The only problem is that the laptops were stolen years ago, while the reviews (and any changes) were made in the past month. They say "better late than never" but my guess is that any potential illicit activities have been carried out already.
It goes to show that data security is not something you want to consider after an information breach. I mean, you do want to think about it if you have an information security problem, and this is revealed via a data breach.
However, the pragmatic thing to do is to consider the ramifications of a data breach before you actually have one, and put in the appropriate security measures beforehand. For example, if sensitive data is stored on laptops, and there is no effective method of protecting these laptops, then you may want to opt for encryption software to protect their contents.
Related Articles and Sites:http://www.databreaches.net/?p=3807