According to phiprivacy.net, St Charles Health System is contacting approximately 145 people to alert them that they may be at risk of identity theft. Apparently, a laptop was stolen from an employee's car. The device was not protected with drive encryption software like AlertBoot (although the hospital is in the process of encrypting all laptop computers containing medical information).
In late October, a laptop computer was stolen from an employee's vehicle while it was parked outside, overnight. About 145 patients' names, dates of birth, and phone numbers were saved on the computer, but it's claimed that the files were already deleted before the theft. The laptop was password-protected so it's assumed that the incident is "low risk," seeing how "it would take a person with advanced computer skills to retrieve the information." A spokesperson noted that "we believe that this is what we consider a low-risk breach, but we still felt it was important to notify the affected patients." The spokesman also noted that the hospital "does have a policy against leaving work laptops unattended and in plain view. But she says she doesn’t know where the computer was in the car when it was stolen." As I noted in the opening remarks, the hospitals is currently in the process of encrypting all laptops with medical information.
In late October, a laptop computer was stolen from an employee's vehicle while it was parked outside, overnight. About 145 patients' names, dates of birth, and phone numbers were saved on the computer, but it's claimed that the files were already deleted before the theft.
The laptop was password-protected so it's assumed that the incident is "low risk," seeing how "it would take a person with advanced computer skills to retrieve the information." A spokesperson noted that "we believe that this is what we consider a low-risk breach, but we still felt it was important to notify the affected patients." The spokesman also noted that the hospital "does have a policy against leaving work laptops unattended and in plain view. But she says she doesn’t know where the computer was in the car when it was stolen."
As I noted in the opening remarks, the hospitals is currently in the process of encrypting all laptops with medical information.
Man, oh, man...there are so many things wrong with this picture. Hospitals don't really get to consider when to notify patients. One of things that irks me: the spokesperson seems to be implying that they had the option of not contacting patients because the incident is considered "low-risk." Under HIPAA / HITECH, they have no such option. The Interim Rules clearly specify that if medical data encryption is not used, affected patients must be notified. If more than 500 are affected, they must immediately notify the Department of Health and Human Services and go public with the breach as well. Password-protection does not require advanced skills to bypass. Do you know why HIPAA / HITECH gives safe harbor when encryption software is used to protect medical information on lost or stolen laptops? Because it works. The same is not true for password-protection. Why? Because it turns out that bypassing password protection is pretty easy. And cheap. How to do it is freely available on the web from reputable sources. What kind of hospital allows laptops to be left unattended in cars as long as it's out of plain sight? It was also commented by Dissent at phiprivacy.net: why is the spokesperson implying that leaving the laptop in the car is OK as long as it's out of sight? What kind of policy is that? I mean, that implies tinted windows are adequate to comply with the policy. Plus, there are the trunks of cars. Those don't work as well as you think. Of course, there are plenty of things that are "right" with the picture: deleting any unnecessary data is to be applauded (and even more so if it was written over), and the move to encrypt all laptops that contain personal data reflects a strong commitment to patient data security. However, good security comes from what you do as well as what you don't do. Leaving unencrypted laptops in cars? Not acceptable. Having a policy where it is acceptable to leave unprotected patient data in cars? Well, it might prompt people to sue you.
Man, oh, man...there are so many things wrong with this picture.
Of course, there are plenty of things that are "right" with the picture: deleting any unnecessary data is to be applauded (and even more so if it was written over), and the move to encrypt all laptops that contain personal data reflects a strong commitment to patient data security.
However, good security comes from what you do as well as what you don't do. Leaving unencrypted laptops in cars? Not acceptable. Having a policy where it is acceptable to leave unprotected patient data in cars? Well, it might prompt people to sue you.
Related Articles and Sites:http://www.phiprivacy.net/?p=8605http://news.opb.org//article/another-stolen-laptop-another-breach-confidentiality/http://www.kbnd.com/page.php?page_id=60247&article_id=10938