Databreaches.net brings us the story of a data breach at Rape & Brooks Orthodontics in Alabama. A computer server was taken during a burglary, triggering a data breach that involves 20,744 patients. Hard drive encryption like AlertBoot would have meant safe harbor from HIPAA regulations instructing covered entities to send breach notification letters. According to the orthodontic specialists' statement, the burglary took place on February 4, 2011. Various items were stolen, including a data server that contained information on patients going back 30 years. The server was password-protected. Patient information included names, addresses, and dates of birth. Social Security numbers and names of guardians may also be included, assuming insurance information was given (the statement expressly notes that SSNs for minors are not included unless they were covered under AllKids with Blue Cross Blue Shield of Alabama). External drives and other computers were taken as well, but these did not contain sensitive information. There were facial photographs on some of the devices, but the software license required to view these expired(!) meaning that the images cannot be seen.
Databreaches.net brings us the story of a data breach at Rape & Brooks Orthodontics in Alabama. A computer server was taken during a burglary, triggering a data breach that involves 20,744 patients. Hard drive encryption like AlertBoot would have meant safe harbor from HIPAA regulations instructing covered entities to send breach notification letters.
According to the orthodontic specialists' statement, the burglary took place on February 4, 2011. Various items were stolen, including a data server that contained information on patients going back 30 years. The server was password-protected.
Patient information included names, addresses, and dates of birth. Social Security numbers and names of guardians may also be included, assuming insurance information was given (the statement expressly notes that SSNs for minors are not included unless they were covered under AllKids with Blue Cross Blue Shield of Alabama).
External drives and other computers were taken as well, but these did not contain sensitive information. There were facial photographs on some of the devices, but the software license required to view these expired(!) meaning that the images cannot be seen.
Servers are generally not protected with whole encryption software because encryption will give them a small performance hit. For the average user this hit is indeed small: there is a limit to how fast a person can type, after all, so people will generally not notice the hit due to the computer's speed. On a server, where other machines are making requests, this performance hit is pretty evident. There is a caveat to this, though: it depends on what you're serving. Google's servers need every ounce of performance they can squeeze out of their computers. A dentist's office? Probably not so much. Am I recommending that a server be encrypted? Possibly, at least in this case. It's true that encryption software is generally not used on servers. But, a server is generally not associated with the words "long term storage" either. Thirty years is a long, long time. Granted, they're probably not using the same machine from three decades past, but that's not what's pertinent here. They're holding a sizable database which could lead to a very bad situation if the data were breached (and it did).
Servers are generally not protected with whole encryption software because encryption will give them a small performance hit. For the average user this hit is indeed small: there is a limit to how fast a person can type, after all, so people will generally not notice the hit due to the computer's speed.
On a server, where other machines are making requests, this performance hit is pretty evident. There is a caveat to this, though: it depends on what you're serving. Google's servers need every ounce of performance they can squeeze out of their computers. A dentist's office? Probably not so much.
Am I recommending that a server be encrypted? Possibly, at least in this case. It's true that encryption software is generally not used on servers. But, a server is generally not associated with the words "long term storage" either. Thirty years is a long, long time.
Granted, they're probably not using the same machine from three decades past, but that's not what's pertinent here. They're holding a sizable database which could lead to a very bad situation if the data were breached (and it did).
Related Articles and Sites:http://www.databreaches.net/?p=18124