A clinic in Durham, Canada--just north of Toronto--has suffered a data breach that affects 83,524 people who've received flu shots, H1N1 as well as seasonal, between October 23 and December 15. Hard disk encryption was not used to secure the information, although it was mentioned that "the ability to read that data is limited."
It was not mentioned. Perhaps they mean the ability to read it is limited to those who try to read it? More realistically (and less sarcastically), I'm guessing password protection must have been used--perhaps on the file itself--although at this point I can only guess. (Update: I've found what they mean by limited: "The files found on the USB key contain a 'lot of gobbledegook, and then some information that is clearly legible,' Dr. Robert Kyle, Durham Region's Medical Officer of Health, told CBC News.") Regardless, the point is that it was not secured with data encryption, and the information for 80,000-plus Canadians--including patient names, addresses, phone numbers, dates of birth, health card numbers, physicians' names, patient allergies, and chronic medical conditions--is at the mercy of some random guy, literally: "We have absolutely no evidence nor any belief that it was deliberately stolen," Dr. Kyle [Durham Region's Medical Officer of Health] said adding surveillance video shows the USB being placed on a rock on the property after it was lost by the nurse. "The only conclusion we can reach is it was out there in the open, somebody saw it, they picked it up and carried it away." Being placed on a rock after it was lost by the nurse? Hmm, so random guy #1 finds the USB device and places it on a noticeable place so that random guy #2 can take it. Niiiice.
It was not mentioned. Perhaps they mean the ability to read it is limited to those who try to read it? More realistically (and less sarcastically), I'm guessing password protection must have been used--perhaps on the file itself--although at this point I can only guess.
(Update: I've found what they mean by limited: "The files found on the USB key contain a 'lot of gobbledegook, and then some information that is clearly legible,' Dr. Robert Kyle, Durham Region's Medical Officer of Health, told CBC News.")
Regardless, the point is that it was not secured with data encryption, and the information for 80,000-plus Canadians--including patient names, addresses, phone numbers, dates of birth, health card numbers, physicians' names, patient allergies, and chronic medical conditions--is at the mercy of some random guy, literally:
"We have absolutely no evidence nor any belief that it was deliberately stolen," Dr. Kyle [Durham Region's Medical Officer of Health] said adding surveillance video shows the USB being placed on a rock on the property after it was lost by the nurse. "The only conclusion we can reach is it was out there in the open, somebody saw it, they picked it up and carried it away."
Being placed on a rock after it was lost by the nurse? Hmm, so random guy #1 finds the USB device and places it on a noticeable place so that random guy #2 can take it. Niiiice.
Research--and the real world as well--shows over and over again that encryption software goes a long way when it comes to data protection. Don't believe me? Go take a look at UK law: it allows the incarceration of a person who refuses to divulge the password to encrypted information. This law came about because breaking encryption in real life is as hard as the eggheads claim. There are probably many countries that would love to have this law...except it poses problems along the lines of freedom and liberty and other abstract concepts (the UK has received a lot of criticism over adopting it). Knowing even the government has problems cracking encryption, what are the chances than the average guy would be able to bypass encryption like AlertBoot? Pretty much nil. That's why there's a fuss over encryption (or rather, over the lack of encryption).
Research--and the real world as well--shows over and over again that encryption software goes a long way when it comes to data protection.
Don't believe me? Go take a look at UK law: it allows the incarceration of a person who refuses to divulge the password to encrypted information. This law came about because breaking encryption in real life is as hard as the eggheads claim. There are probably many countries that would love to have this law...except it poses problems along the lines of freedom and liberty and other abstract concepts (the UK has received a lot of criticism over adopting it).
Knowing even the government has problems cracking encryption, what are the chances than the average guy would be able to bypass encryption like AlertBoot? Pretty much nil. That's why there's a fuss over encryption (or rather, over the lack of encryption).
Related Articles and Sites:http://www.citytv.com/toronto/citynews/news/local/article/66378--health-unit-lost-usb-key-containing-health-info-for-more-than-80-000-peoplehttp://www.nationalpost.com/news/story.html?id=2371723http://www.cbc.ca/health/story/2009/12/22/health-information.html