Sometimes I read a story that makes me wonder if people understand why they're using data encryption software like AlertBoot. I mean, the point behind encryption software is to protect data, no? Apparently Jim Christensen, owner of the Family Care Center physical therapy clinic in Washington state, where the breach took place, doesn't share this belief.
Sometimes I read a story that makes me wonder if people understand why they're using data encryption software like AlertBoot. I mean, the point behind encryption software is to protect data, no?
Apparently Jim Christensen, owner of the Family Care Center physical therapy clinic in Washington state, where the breach took place, doesn't share this belief.
Christensen's business was broken into, with thieves stealing a laptop, a backup hard drive, $400 from a locked cashbox, and a firewall device, which, ironically enough, was probably there for "data protection." On the laptop, the information for 8,000 patients--it's implied the figure is anyone who's ever visited Family Care Center--was included. What kind of information, though, is the real question. 8,000 of his patients’ names had been stolen during a burglary last weekend. The list includes patient accounts from his operations in Clinton, Freeland and Oak Harbor “All the names were heavily encrypted on the software that was stolen, but we have to assume the worst,” [Christensen] said. He added that federal privacy rules protect identifiable patient information, and he’s required to notify his clients. [pnwlocalnews.com] The fact that names were present has been established in the story. Is it possible that it's only names that were stolen? Sound doubtful. Why advocate that his clients call the bank right away? Could it be that only names were encrypted, and other information was not? That seems unlikely. Why would the software only encrypt names and not protect other information? Plus, it's quite nebulous what this "software" happens to be. Is it a database program that automatically encrypts its own files? Or does he mean that he used encryption software to actively protect patient information?
Christensen's business was broken into, with thieves stealing a laptop, a backup hard drive, $400 from a locked cashbox, and a firewall device, which, ironically enough, was probably there for "data protection."
On the laptop, the information for 8,000 patients--it's implied the figure is anyone who's ever visited Family Care Center--was included. What kind of information, though, is the real question.
8,000 of his patients’ names had been stolen during a burglary last weekend. The list includes patient accounts from his operations in Clinton, Freeland and Oak Harbor “All the names were heavily encrypted on the software that was stolen, but we have to assume the worst,” [Christensen] said. He added that federal privacy rules protect identifiable patient information, and he’s required to notify his clients. [pnwlocalnews.com]
8,000 of his patients’ names had been stolen during a burglary last weekend. The list includes patient accounts from his operations in Clinton, Freeland and Oak Harbor
“All the names were heavily encrypted on the software that was stolen, but we have to assume the worst,” [Christensen] said. He added that federal privacy rules protect identifiable patient information, and he’s required to notify his clients. [pnwlocalnews.com]
The fact that names were present has been established in the story. Is it possible that it's only names that were stolen? Sound doubtful. Why advocate that his clients call the bank right away?
Could it be that only names were encrypted, and other information was not? That seems unlikely. Why would the software only encrypt names and not protect other information?
Plus, it's quite nebulous what this "software" happens to be. Is it a database program that automatically encrypts its own files? Or does he mean that he used encryption software to actively protect patient information?
Regardless, if we can take Christensen at his word, and heavy encryption (I guess he meant strong encryption?) was used, there really is no reason for him to strongly suggest people call their banks right away. I mean, it's always a good idea to keep an eye out, since there's no way to tell when, nor how, you might become a victim. However, the chances of becoming an identity theft victim from encrypted data is pretty remote. That's the purpose behind the use of encryption programs. Otherwise, HIPAA wouldn't be essentially advocating its use. Admittedly, encryption will never be a panacea for identity theft or other data security issues. But, you've got to give it a little credit in the areas where it can and does work.
Regardless, if we can take Christensen at his word, and heavy encryption (I guess he meant strong encryption?) was used, there really is no reason for him to strongly suggest people call their banks right away. I mean, it's always a good idea to keep an eye out, since there's no way to tell when, nor how, you might become a victim.
However, the chances of becoming an identity theft victim from encrypted data is pretty remote. That's the purpose behind the use of encryption programs. Otherwise, HIPAA wouldn't be essentially advocating its use.
Admittedly, encryption will never be a panacea for identity theft or other data security issues. But, you've got to give it a little credit in the areas where it can and does work.
Related Articles and Sites:http://www.pnwlocalnews.com/whidbey/swr/news/96690764.htmlhttp://www.phiprivacy.net/?p=2942