Morris Heights Health Center (MHHC), a non-profit treatment and behavioral health center that acted as a school-based health center, has reported a data breach to the HHS, the department of Health and Human Services, as well as issuing a press release. Apparently, a laptop computer was stolen from a middle school. The computer, which was not protected with laptop encryption software like AlertBoot, contained students' health data.
According to the press release and the data breach notice sent to students' parents, a laptop computer was stolen from MS 399 and MS 459 (a quick Google search shows them to be at the same address) on August 29, 2011. Notification letters were dated October 26, 2011. The stolen laptop contained information on 927 students (per the HHS's breach notification website): names, dates of birth, sex, ethnicities, heights, weights, body mass indices, asthma diagnoses, and flu vaccine status for 2009 - 2010. Access to this information was secured via two passwords: one for the program that runs the file and another for the laptop itself. However, it should be noted that the laptop password here appears to refer to "password-protection" and not encryption software. Does it matter? It does. For one thing, Morris Heights Health Center has promised that, To protect against a similar incident occurring in the future, all computers in school based health centers operated by Morris Heights Health Centers are being physically secured with locks, and their hard drives encrypted to prevent unauthorized users from accessing any student information. If there weren't a difference between password protection and encryption -- if they afforded the same protection -- why would Morris make the switch? Don't answer that; it's a rhetorical question. This one isn't: why did they wait until after a breach to encrypt laptops with sensitive data?
According to the press release and the data breach notice sent to students' parents, a laptop computer was stolen from MS 399 and MS 459 (a quick Google search shows them to be at the same address) on August 29, 2011. Notification letters were dated October 26, 2011.
The stolen laptop contained information on 927 students (per the HHS's breach notification website): names, dates of birth, sex, ethnicities, heights, weights, body mass indices, asthma diagnoses, and flu vaccine status for 2009 - 2010. Access to this information was secured via two passwords: one for the program that runs the file and another for the laptop itself.
However, it should be noted that the laptop password here appears to refer to "password-protection" and not encryption software. Does it matter? It does. For one thing, Morris Heights Health Center has promised that,
To protect against a similar incident occurring in the future, all computers in school based health centers operated by Morris Heights Health Centers are being physically secured with locks, and their hard drives encrypted to prevent unauthorized users from accessing any student information.
If there weren't a difference between password protection and encryption -- if they afforded the same protection -- why would Morris make the switch? Don't answer that; it's a rhetorical question. This one isn't: why did they wait until after a breach to encrypt laptops with sensitive data?
One of the surprising aspects of this story is that Morris Heights Health Center notified the HHS of the data breach despite the records involving student information. Whenever I've run across such stories in the past (involving students), I've always seen how FERPA takes precedence. In fact, I've briefly touched on what FERPA says regarding the use of encryption software to protect student records. However, I also noted that there some specific instances where HIPAA would take precedence. The above case seems to be such a case. According to a Minnesota Department of Administration publication, "HIPAA and Schools", there are "three areas where HIPAA may impact schools." The first is when a school-based health center is operated by a hospital, clinic, or government health department. The second is if a school nurse submits her service claims electronically. This is actually THE reason why a medical organization, business, or person becomes a "HIPAA covered medical entity." If your local practitioner only accepts cash, he wouldn't be subject to HIPAA. The third (and not necessarily the last) is if a health care provider gives a school medical information in electronic format. This one, though might be specific to Minnesota and not necessarily applicable to other states.
One of the surprising aspects of this story is that Morris Heights Health Center notified the HHS of the data breach despite the records involving student information. Whenever I've run across such stories in the past (involving students), I've always seen how FERPA takes precedence. In fact, I've briefly touched on what FERPA says regarding the use of encryption software to protect student records.
However, I also noted that there some specific instances where HIPAA would take precedence. The above case seems to be such a case. According to a Minnesota Department of Administration publication, "HIPAA and Schools", there are "three areas where HIPAA may impact schools."
The first is when a school-based health center is operated by a hospital, clinic, or government health department.
The second is if a school nurse submits her service claims electronically. This is actually THE reason why a medical organization, business, or person becomes a "HIPAA covered medical entity." If your local practitioner only accepts cash, he wouldn't be subject to HIPAA.
The third (and not necessarily the last) is if a health care provider gives a school medical information in electronic format. This one, though might be specific to Minnesota and not necessarily applicable to other states.
Related Articles and Sites:http://www.mhhc.org/?p=486http://www.mhhc.org/wp-content/uploads/2011/11/Breach-Notification-Letters.pdfhttp://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.htmlhttp://www.mnmsba.org/Public/PublicationShow.cfm?PublicationsID=1413