Another example why you're better off protecting your laptop computers with hard disk encryption like AlertBoot, as opposed to ensuring things are locked up properly. AvMed has announced that their breach from February actually affected 1.2 million patients, not the initial 200,000 people they reported.
Per my count, this is the third announcement on patient figures. Initially, it was announced that approximately 210,000 people were affected. Not long after, the figure was updated to 360,000. Now, four months after the initial announcement, the figure has ballooned to 1.2 million. AvMed did note that the sensitive information found in the two stolen laptops were listed "randomly" and would be of little use to any identity thieves. Apparently, this has also caused AvMed to report incorrect figures. What is surprising to me is that AvMed is still looking into the issue. I mean, after sending breach notification letters to 360,000 people throughout Florida, I would have assumed that they would call it a day. Instead, they're still looking into it four months later.
Per my count, this is the third announcement on patient figures. Initially, it was announced that approximately 210,000 people were affected. Not long after, the figure was updated to 360,000. Now, four months after the initial announcement, the figure has ballooned to 1.2 million.
AvMed did note that the sensitive information found in the two stolen laptops were listed "randomly" and would be of little use to any identity thieves. Apparently, this has also caused AvMed to report incorrect figures.
What is surprising to me is that AvMed is still looking into the issue. I mean, after sending breach notification letters to 360,000 people throughout Florida, I would have assumed that they would call it a day.
Instead, they're still looking into it four months later.
Although it's not always the case, data forensics takes a long time. I mean, it's an investigation; what else would one expect? In the above case, the investigation took 6 months to complete (well, assuming they're done with it. Perhaps we'll see a third revision of figures?) The breach occurred in December. AvMed waited two months to notify the initial round of patients, since they had to figure out who to contact and, I believe, there was also a police investigation during that time. And now, four months after that initial announcement, they have another one. That's 6 months. I don't know how much AvMed paid for that forensic investigation, but it cannot have been cheap. If only they had used encryption software....
Although it's not always the case, data forensics takes a long time. I mean, it's an investigation; what else would one expect? In the above case, the investigation took 6 months to complete (well, assuming they're done with it. Perhaps we'll see a third revision of figures?)
The breach occurred in December. AvMed waited two months to notify the initial round of patients, since they had to figure out who to contact and, I believe, there was also a police investigation during that time.
And now, four months after that initial announcement, they have another one. That's 6 months. I don't know how much AvMed paid for that forensic investigation, but it cannot have been cheap.
If only they had used encryption software....
Actually, AvMed's computers were encrypted. However, they came to the conclusion that the encryption was applied incorrectly (there's still no news on how they came to that conclusion). This actually highlights why you can't just apply hard disk drive encryption on your laptops and then call it a day. While cryptography is a great way of protecting electronic data, there are numerous ways that it can be foiled, not because the technology is lacking, but because of indirect factors. Usually, we're talking about people not exercising correct security procedures, such as leaving their passwords close by, usually written on a sticky-note. Or, sharing passwords. But there are other factors. For example, sometimes encryption software is not installed correctly. Other times, encryption software is disabled by the computer user. (I tend to recommend that people go with encryption software programs that cannot be turned off locally.) Which is why, even with encryption deployed across an organization's computers, one still has to follow up and regularly audit these same machines. In AlertBoot, for example, the same reports that are used for proving encryption compliance to regulators are also used for performing encryption audits.
Actually, AvMed's computers were encrypted. However, they came to the conclusion that the encryption was applied incorrectly (there's still no news on how they came to that conclusion).
This actually highlights why you can't just apply hard disk drive encryption on your laptops and then call it a day. While cryptography is a great way of protecting electronic data, there are numerous ways that it can be foiled, not because the technology is lacking, but because of indirect factors.
Usually, we're talking about people not exercising correct security procedures, such as leaving their passwords close by, usually written on a sticky-note. Or, sharing passwords. But there are other factors.
For example, sometimes encryption software is not installed correctly. Other times, encryption software is disabled by the computer user. (I tend to recommend that people go with encryption software programs that cannot be turned off locally.) Which is why, even with encryption deployed across an organization's computers, one still has to follow up and regularly audit these same machines.
In AlertBoot, for example, the same reports that are used for proving encryption compliance to regulators are also used for performing encryption audits.
Related Articles and Sites:http://www.miamiherald.com/2010/06/03/1661821/florida-avmed-customers-personal.htmlhttp://www.chicagotribune.com/business/fl-health-credit-breach-20100603,0,6050079.storyhttp://www.gainesville.com/article/20100603/ARTICLES/100609817?Title=AvMed-Breach-of-customer-data-three-times-worse-than-reported