St. Jude Heritage, in Fullerton, CA, has notified 22,000 patients that their personal data may have been compromised when five laptop computers were stolen. The information was not protected via full disk encryption software like AlertBoot endpoint security solutions, although password protection was used.
A total of 22 computers were stolen, but only the five mentioned above contained sensitive, patient data. The theft occurred two months ago, but patients are being notified only now because St. Jude had to reconstruct what was on the stolen computers: SSNs, dates of birth, and health-related information such as diagnoses (in some cases only, for the latter). Credit monitoring and fraud alert services are being offered by St. Jude.
A total of 22 computers were stolen, but only the five mentioned above contained sensitive, patient data.
The theft occurred two months ago, but patients are being notified only now because St. Jude had to reconstruct what was on the stolen computers: SSNs, dates of birth, and health-related information such as diagnoses (in some cases only, for the latter).
Credit monitoring and fraud alert services are being offered by St. Jude.
Password protection doesn't provide information security. Earlier this week I noted that the HHS--the organization charged with enforcing HIPAA and patient data security--uses encryption software on all laptops, as well as on desktops that weren't secured physically. (HIPAA Encryption: What Does the HHS Use?) And there's a reason for that: as a federal agency, they have to follow with a government standard known as FIPS 140-2 which is maintained by the National Institute of Standards and Technology. According to their guidelines, password-protection does not afford data security. Now, the information that is retained by the HHS is probably not too different from what St. Jude's had. And yet the HHS declines to use password-protection and goes for something much stronger. What does this tell you about St. Jude's data protection policies?
Password protection doesn't provide information security. Earlier this week I noted that the HHS--the organization charged with enforcing HIPAA and patient data security--uses encryption software on all laptops, as well as on desktops that weren't secured physically. (HIPAA Encryption: What Does the HHS Use?)
And there's a reason for that: as a federal agency, they have to follow with a government standard known as FIPS 140-2 which is maintained by the National Institute of Standards and Technology. According to their guidelines, password-protection does not afford data security.
Now, the information that is retained by the HHS is probably not too different from what St. Jude's had. And yet the HHS declines to use password-protection and goes for something much stronger. What does this tell you about St. Jude's data protection policies?
St. Jude took two hits by not using disk encryption programs to protect their data. The first is the increased risk to patient data. The second is its inability to take advantage that the state laws provide. St. Jude is located in California, and under California law, an entity does not need to make a breach public if the information is protected using encryption. Furthermore, HIPAA rules, amended by the HITECH Act, also provide the same protection from disclosure. Needless to say, using encryption kills two birds with one stone, and not taking advantage of such protection is short-sighted.
St. Jude took two hits by not using disk encryption programs to protect their data. The first is the increased risk to patient data. The second is its inability to take advantage that the state laws provide.
St. Jude is located in California, and under California law, an entity does not need to make a breach public if the information is protected using encryption. Furthermore, HIPAA rules, amended by the HITECH Act, also provide the same protection from disclosure.
Needless to say, using encryption kills two birds with one stone, and not taking advantage of such protection is short-sighted.
Related Articles and Sites:http://abclocal.go.com/kabc/story?section=news/local/orange_county&id=7414662http://www.ocregister.com/articles/medical-246434-jude-data.html