The Colorado Department of Health Care Policy and Financing (HCPF) has a very short entry on a data breach that affects approximately 111,000 people. Was hard disk encryption used? Hard to tell.
As databreaches.net has noted, the data breach notice publicized at the HCPF is very simple. In fact it is so short that I decided to reproduce the notice below: "State officials discovered that there was an unauthorized removal of a computer hard drive housed at the Office of Information Technology (OIT). The information did NOT include addresses, dates of birth, social security numbers or any other financial information that could be used for identity theft. It included name, state ID number and the name of the client’s program. Approximately 111,000 clients, or one-fifth of those receiving public health insurance, will receive notification by first-class mail, as required by HIPAA. "
As databreaches.net has noted, the data breach notice publicized at the HCPF is very simple. In fact it is so short that I decided to reproduce the notice below:
"State officials discovered that there was an unauthorized removal of a computer hard drive housed at the Office of Information Technology (OIT). The information did NOT include addresses, dates of birth, social security numbers or any other financial information that could be used for identity theft. It included name, state ID number and the name of the client’s program. Approximately 111,000 clients, or one-fifth of those receiving public health insurance, will receive notification by first-class mail, as required by HIPAA. "
I'm not worried about HCPF releasing such a short notice because I'm sure there'll be a follow up to this story: It's affected 111,000 people, or as HCPF noted, one-fifth of people receiving public health insurance. That's huge. There's bound to be media coverage on this. HCPF quoted the HIPAA requirement, as amended by HITECH. This means they'll be notifying the HHS, which consequently will be uploading the breach to their "breaches involving more than 500 individuals or more" site (not there as of this blog post), which will also bring nation-wide attention. I get the feeling that the curtness of the HCPF's notice is not bureaucratic scheming, which usually works towards keeping the public in the dark, but rather a temporary measure to alert the public while they go about with their incident response.
I'm not worried about HCPF releasing such a short notice because I'm sure there'll be a follow up to this story:
I get the feeling that the curtness of the HCPF's notice is not bureaucratic scheming, which usually works towards keeping the public in the dark, but rather a temporary measure to alert the public while they go about with their incident response.
I doubt it. I've recently made a couple of mistakes in making these "did they or didn't they" wagers when it comes to encrypted disks and HIPAA. However, it still remains a fact that, Most organizations don't want to go public with a data breach This is especially true if they aren't legally required to do so And even more especially true if people have no reason to be concerned Under the HITECH amendment to HIPAA, people affected by data breaches must be contacted via first-class mail (although alternatives are given depending on the circumstances). This requirement didn't exist prior to HITECH, as far as I know. There is a twist, though: the same amendment, a HIPAA-covered entity doesn't need to send such notifications if the lost or stolen patient information is protected with strong encryption. The reasoning is simple: encryption provides good data security. (While there are those that argue that notifications ought to be made even if encryption is used, most people agree that the sheer amount of notifications being sent would lead to people ignoring the letters, just like some people throw away their junk mail without even glancing at the contents.) So, considering the above, it wouldn't be unwarranted to assume that disk data encryption [http://www.alertboot.com/disk_encryption/disk_encryption_product_tour.aspx ; full data encryption] like AlertBoot wasn't used in the now-missing hard drive. And if not? Well, I guess I'll have to eat crow again. I've never had to do that twice in a month before.... Related Articles and Sites:http://www.databreaches.net/?p=12611http://www.colorado.gov/cs/Satellite/HCPF/HCPF/1251575270108
I doubt it. I've recently made a couple of mistakes in making these "did they or didn't they" wagers when it comes to encrypted disks and HIPAA. However, it still remains a fact that,
Under the HITECH amendment to HIPAA, people affected by data breaches must be contacted via first-class mail (although alternatives are given depending on the circumstances). This requirement didn't exist prior to HITECH, as far as I know.
There is a twist, though: the same amendment, a HIPAA-covered entity doesn't need to send such notifications if the lost or stolen patient information is protected with strong encryption. The reasoning is simple: encryption provides good data security.
(While there are those that argue that notifications ought to be made even if encryption is used, most people agree that the sheer amount of notifications being sent would lead to people ignoring the letters, just like some people throw away their junk mail without even glancing at the contents.)
So, considering the above, it wouldn't be unwarranted to assume that disk data encryption [http://www.alertboot.com/disk_encryption/disk_encryption_product_tour.aspx ; full data encryption] like AlertBoot wasn't used in the now-missing hard drive.
And if not? Well, I guess I'll have to eat crow again. I've never had to do that twice in a month before....
Related Articles and Sites:http://www.databreaches.net/?p=12611http://www.colorado.gov/cs/Satellite/HCPF/HCPF/1251575270108