in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: Medical Backup Data Tape Lost By California Health Department

The California Department of Public Health has a lost a data tape in the mail.  It affects 2,550 medical residents, workers, and other staff, according to a public statement by the public health authorities.  The presence of data encryption like AlertBoot appears to be non-existent in this case.

Envelope Arrives Unsealed

The backup tape was sent via USPS, from one California health department to another, as part of a backup process.  When the envelope arrived at its destination on September 27, workers noticed that the envelope was unsealed and empty, and reported the data breach.  On November 23, nearly two months later, a list of potentially affected people was finalized.  It appears the CDPH is still contacting affected inviduals.

The lost backup tape included protected information such as SSNs, investigative reports, backgrounds on workers, confidential e-mails, and names of residents and their diagnoses.

It's quite obvious that encryption ought to have been used to protect sensitive data.

Ironic?

Over at phiprivacy.net, the question is posed: "So… will the state fine itself for not notifying individuals within 5 days of the discovery of the breach?"  The question no doubt regards these two incidents, this one and this one.

It's doubtful that there'll be any fines.  My understanding is that the 5 day limit is for reporting the breach to the CDPH, which was immediately done in this case.  Plus, it looks like perhaps patient information was not included in the breach?  I mean, a medical resident could either be a patient or a doctor...and my understanding is that the laws were set up to protect patient information.

(I'm pretty sure this was not the intent, but the way current laws are written up, data breaches of patient information is calamitous while the loss of caregivers like medical professionals receives quite the cold shoulder.  I sometimes imagine a bureaucrat shrugging his shoulders and saying, "meh.")

"Researching Ways to Eliminate the Backup Tape"

Regardless of whether the CDPH fines itself (a cost that will ultimately fall on the tax payers' shoulders), it's fair to point out that the CDPH has failed to uphold the spirit of the laws they're meant to monitor.  Not only does the CDPH issue penalties for less-than-immediate notification of breaches, it also hands them out for inadequately protecting information.  Granted, patient data might not be involved here, but doctors can become ID theft victims, too.

What really irks me, though, is this statement:

CDPH has implemented policy and procedure changes to minimize the likelihood of recurrence and is researching options which would eliminate the need for a back up tape.

The latest breach is not really indicative of any failings in the backup tape.  Rather, there's a hole in their security policy which, I would imagine, is quite obvious: they're sending data in an insecure manner.

The reason why I take issue with the above is that efforts are clearly being directed towards treating the symptoms, when focus should be on the underlying cause.  Even if the backup tape were to be dispensed of in favor of USB memory sticks, DVDs, and other media, one still has to face the fact that sending unsecured data via the mail is a bone-headed idea.


Related Articles and Sites:
http://www.databreaches.net/?p=15864
http://latimesblogs.latimes.com/lanow/2010/12/state-health-department-loses-medical-records-of-2550-people.html
http://www.cdph.ca.gov/Pages/NR10-098-.aspx

 
<Previous Next>

Disk Encryption Software: Oxford Aunts USB Disk Found In Street

Laptop Encryption Software: Centra Alerts 14,000 Of Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.