Covenant Health in Edmonton, Canada has announced a data breach. A hard disk drive that was apparently used as a backup is missing. It was not mentioned whether data encryption was used, although I get a strong suspicion that it wasn't.
A total of 233 patient folders were on the missing hard drive. The folders contained 3,600 "wounds, lab specimens and, in some cases, dead infants" according to edmontonjournal.com. Only four of the folders contain patients' dates of birth and financial information. All folders contained patients' names. The hard drive went missing (no one's sure whether it was stolen or not) during an office move between January 17 and January 28. The device was temporarily stored under an employee's desk during the move. Not exactly a safe place. At least, not without the use of encryption software.
A total of 233 patient folders were on the missing hard drive. The folders contained 3,600 "wounds, lab specimens and, in some cases, dead infants" according to edmontonjournal.com. Only four of the folders contain patients' dates of birth and financial information. All folders contained patients' names.
The hard drive went missing (no one's sure whether it was stolen or not) during an office move between January 17 and January 28. The device was temporarily stored under an employee's desk during the move. Not exactly a safe place. At least, not without the use of encryption software.
Edmonton is the capital of Alberta, Canada. This means that PIPA (Alberta's Personal Information Protection Act) applies to this breach. While there is no safe harbor clause in PIPA, if you read one of the FAQs related to the issue, you'll see hints that encryption could very well shield a company from being in breach of the law: 36. What is a "real risk of significant harm"? A "real" risk is more than merely speculative. It is a genuine risk, not a risk that is merely theoretical or hypothetical. "Significant" harm is harm of importance or consequence. For example, the theft from a vehicle of a laptop computer containing an unencrypted database of personal information relating to financial transactions is likely to pose a real risk of significant harm to the individuals the information is about. [my emphasis] Under PIPA, an organization that has a data breach ("a loss of or unauthorized access to or disclosure of personal information") has to contact the Information and Privacy Commissioner's office, who in turn determines whether affected individuals need to be notified of a data breach. Since the presence of encryption like AlertBoot Endpoint Security neutralizes "the real risk of significant harm," it follows that a company like Covenant Health would inform the Commissioner's office and the issue would stop there. This is supposition only, of course, but a pretty good one. In fact, based on all the cases and comments from the Commissioner's office I've read over the years, it's quite likely the truth. It's a shame, really, when you think about it. Why not actually codify it into law, instead of indirectly reference it, so that organizations know what they're getting into when they don't use encryption on sensitive material?
Edmonton is the capital of Alberta, Canada. This means that PIPA (Alberta's Personal Information Protection Act) applies to this breach. While there is no safe harbor clause in PIPA, if you read one of the FAQs related to the issue, you'll see hints that encryption could very well shield a company from being in breach of the law:
36. What is a "real risk of significant harm"? A "real" risk is more than merely speculative. It is a genuine risk, not a risk that is merely theoretical or hypothetical. "Significant" harm is harm of importance or consequence. For example, the theft from a vehicle of a laptop computer containing an unencrypted database of personal information relating to financial transactions is likely to pose a real risk of significant harm to the individuals the information is about. [my emphasis]
36. What is a "real risk of significant harm"?
A "real" risk is more than merely speculative. It is a genuine risk, not a risk that is merely theoretical or hypothetical. "Significant" harm is harm of importance or consequence. For example, the theft from a vehicle of a laptop computer containing an unencrypted database of personal information relating to financial transactions is likely to pose a real risk of significant harm to the individuals the information is about. [my emphasis]
Under PIPA, an organization that has a data breach ("a loss of or unauthorized access to or disclosure of personal information") has to contact the Information and Privacy Commissioner's office, who in turn determines whether affected individuals need to be notified of a data breach.
Since the presence of encryption like AlertBoot Endpoint Security neutralizes "the real risk of significant harm," it follows that a company like Covenant Health would inform the Commissioner's office and the issue would stop there.
This is supposition only, of course, but a pretty good one. In fact, based on all the cases and comments from the Commissioner's office I've read over the years, it's quite likely the truth.
It's a shame, really, when you think about it. Why not actually codify it into law, instead of indirectly reference it, so that organizations know what they're getting into when they don't use encryption on sensitive material?
Related Articles and Sites:http://www.edmontonjournal.com/Edmonton+hospital+hard+drive+with+hundreds+patient+records+missing/4437104/story.htmlhttp://www.phiprivacy.net/?p=6177