Walsh Pharmacy in Massachusetts has notified the Attorney General's office of New Hampshire that a missing DVD caused a data breach. The number of people affected, or whether data security safeguards--such as data encryption software like AlertBoot--were present, was not mentioned. Update (18 AUG 2010): 11,400 people were affected by this breach.
Walsh Pharmacy in Massachusetts has notified the Attorney General's office of New Hampshire that a missing DVD caused a data breach. The number of people affected, or whether data security safeguards--such as data encryption software like AlertBoot--were present, was not mentioned.
Update (18 AUG 2010): 11,400 people were affected by this breach.
The DVD went missing after the disk was mailed by a business associate, McKesson Pharmacy Systems, to Walsh Pharmacy on June 3rd. The "envelope was found to be empty" and an examination showed that there was "no evidence of tampering." While the presence of data security software was not mentioned, it was noted that the information stored on the DVD was created by in UNIX. The implication is, the theft of data in this case is not as easy as popping the DVD in a random computer, since the world is overrun with Windows boxes, and these lack the ability to read files created under UNIX. I suppose, however, that it would read, at least partially, under any Linux-based OS...including the mac, since its foundation is a linux-based operating system. So much for security via obscurity (or, in this case, lack of availability). Plus, if the files are in plain text, they could be opened under a Windows box (it would require the right tools, though).
The DVD went missing after the disk was mailed by a business associate, McKesson Pharmacy Systems, to Walsh Pharmacy on June 3rd. The "envelope was found to be empty" and an examination showed that there was "no evidence of tampering."
While the presence of data security software was not mentioned, it was noted that the information stored on the DVD was created by in UNIX. The implication is, the theft of data in this case is not as easy as popping the DVD in a random computer, since the world is overrun with Windows boxes, and these lack the ability to read files created under UNIX.
I suppose, however, that it would read, at least partially, under any Linux-based OS...including the mac, since its foundation is a linux-based operating system. So much for security via obscurity (or, in this case, lack of availability). Plus, if the files are in plain text, they could be opened under a Windows box (it would require the right tools, though).
As a result of this data breach, Walsh has decided that business associates will destroy any information, after the BA's are done using it, instead of returning it to Walsh. I've got to congratulate Walsh on making that decision. After all, even more secure than protecting confidential data with encryption software is destroying it: if you destroy it, there is nothing left to protect. Even encryption carries with it a small, infinitesimal risk. On the other hand, if I'm reading into this correctly, I also see a problem. DVDs and other media will be destroyed by the recipient, preventing beaches associated with returned media. But, returns imply that media is also being sent out by Walsh. I mean, logically, there's no reason why the torn envelope problem won't affect media being sent out. Perhaps, then, those disks ought to be encrypted with disc encryption prior to being sent out. If so, then there would be no data breach problems in also returning it. But then, why ask for it back? Destruction is a better method of "security," as I've pointed out above. Plus, you'd save some postage. Of course, there is the problem of ensuring that those disks were actually destroyed....
As a result of this data breach, Walsh has decided that business associates will destroy any information, after the BA's are done using it, instead of returning it to Walsh.
I've got to congratulate Walsh on making that decision. After all, even more secure than protecting confidential data with encryption software is destroying it: if you destroy it, there is nothing left to protect. Even encryption carries with it a small, infinitesimal risk.
On the other hand, if I'm reading into this correctly, I also see a problem. DVDs and other media will be destroyed by the recipient, preventing beaches associated with returned media. But, returns imply that media is also being sent out by Walsh. I mean, logically, there's no reason why the torn envelope problem won't affect media being sent out.
Perhaps, then, those disks ought to be encrypted with disc encryption prior to being sent out. If so, then there would be no data breach problems in also returning it. But then, why ask for it back? Destruction is a better method of "security," as I've pointed out above. Plus, you'd save some postage.
Of course, there is the problem of ensuring that those disks were actually destroyed....
Related Articles and Sites:http://www.phiprivacy.net/?p=3319http://doj.nh.gov/consumer/pdf/walsh_pharmacy.pdf