A laptop computer, without full disk encryption to protect the contents, was stolen from a University of Kentucky Healthcare department. Over 2000 people have been notified.
A laptop computer that was used at the UK Department of Pediatrics was found stolen sometime between June 18 and June 21. It contained information on 2,027 people from the Newborn Screening Program: names, medical record numbers, dates of birth, mother's name, and, in some instances, SSNs. The computer did make use of password-protection, but not of encryption software. Perhaps the hospital was under the impression that encryption was not necessary, seeing how the laptop was stolen from a locked private office. (Update, 26 AUG 2010): According to healthdatamanagement.com, UK was in the process of encrypting all laptops and portable media. Financial account information, such as credit card numbers, were not stored in the laptop.
A laptop computer that was used at the UK Department of Pediatrics was found stolen sometime between June 18 and June 21. It contained information on 2,027 people from the Newborn Screening Program: names, medical record numbers, dates of birth, mother's name, and, in some instances, SSNs.
The computer did make use of password-protection, but not of encryption software. Perhaps the hospital was under the impression that encryption was not necessary, seeing how the laptop was stolen from a locked private office.
(Update, 26 AUG 2010): According to healthdatamanagement.com, UK was in the process of encrypting all laptops and portable media.
Financial account information, such as credit card numbers, were not stored in the laptop.
I'm divided whenever I hear that a computer was stolen from a locked office. The paradoxical thing about most locks is that they're poor deterrents to determined individuals: they keep out the honest but will yield under stress. On the one hand, locking an office door works wonders for safeguarding your property. Indeed, more than any other "tool" out there, it's the use of locks on doors that prevents stuff from being stolen overnight. On the other hand, stuff gets stolen from locked offices all the time: a brick through a window, a leg to the door, forced door handles, bobby pins to the lock, etc. Granted, in some of these the lock is not touched at all, it just forces a thief to take another approach at perpetrating his crime. The point is, the presence of the lock hasn't prevented the crime. Should we, or can we, blame an organization for assuming that a locked door, which has worked so well over the years, would continue to prevent a data breach from happening? Should the organization have known better? (I'm not even going to debate the point whether the information should have been stored on a laptop. My bet is that the thieves who broke in to steal stuff would have stolen a desktop computer as well, if it had been present.) And by "known better" I mean, should they have used encryption like AlertBoot to protect the data, even if a laptop was never taken out of that locked office, ever? In hindsight, the answer is yes. But for some other organization in the same situation, the answer could be "no": it could potentially never have a break-in, at which point the use of encryption could be viewed as "useless." But then, wouldn't that be similar to crying foul because you have carry auto insurance, despite never having been in an accident?
I'm divided whenever I hear that a computer was stolen from a locked office. The paradoxical thing about most locks is that they're poor deterrents to determined individuals: they keep out the honest but will yield under stress.
On the one hand, locking an office door works wonders for safeguarding your property. Indeed, more than any other "tool" out there, it's the use of locks on doors that prevents stuff from being stolen overnight.
On the other hand, stuff gets stolen from locked offices all the time: a brick through a window, a leg to the door, forced door handles, bobby pins to the lock, etc. Granted, in some of these the lock is not touched at all, it just forces a thief to take another approach at perpetrating his crime. The point is, the presence of the lock hasn't prevented the crime.
Should we, or can we, blame an organization for assuming that a locked door, which has worked so well over the years, would continue to prevent a data breach from happening? Should the organization have known better?
(I'm not even going to debate the point whether the information should have been stored on a laptop. My bet is that the thieves who broke in to steal stuff would have stolen a desktop computer as well, if it had been present.)
And by "known better" I mean, should they have used encryption like AlertBoot to protect the data, even if a laptop was never taken out of that locked office, ever? In hindsight, the answer is yes. But for some other organization in the same situation, the answer could be "no": it could potentially never have a break-in, at which point the use of encryption could be viewed as "useless."
But then, wouldn't that be similar to crying foul because you have carry auto insurance, despite never having been in an accident?
Related Articles and Sites:http://www.ukhealthcare.uky.edu/press/public-notice-081610.asphttp://www.kentucky.com/2010/08/22/1401796/identity-theft-warning-issued.html