NYU Langone Medical Center is embroiled in a data breach, its second in approximately one year. According to the medical center's press release, a desktop computer, which was not protected with data encryption software like AlertBoot, was stolen on May 23 from the office of the chair of the Department of Neurosurgery.
The stolen computer contained data on 8,400 patients. Social Security numbers for 5,000 patients were compromised, and other patient data included names, addresses, dates of birth, telephones numbers, insurance information, and clinical information related to physician visits. Instead of encryption software, password-protection was used to "protect" the data. NYU's press release notes that "additional software would be needed to retrieve any data files," although it has not commented on the nature of this mystery software. This is not the first time NYU Langone has been affected by a PHI breach. Based on this blog's history, the medical center also had a data breach last year, when 670 patients were alerted of a data breach. Encryption software was not used at the time, either.
The stolen computer contained data on 8,400 patients. Social Security numbers for 5,000 patients were compromised, and other patient data included names, addresses, dates of birth, telephones numbers, insurance information, and clinical information related to physician visits.
Instead of encryption software, password-protection was used to "protect" the data. NYU's press release notes that "additional software would be needed to retrieve any data files," although it has not commented on the nature of this mystery software.
This is not the first time NYU Langone has been affected by a PHI breach. Based on this blog's history, the medical center also had a data breach last year, when 670 patients were alerted of a data breach. Encryption software was not used at the time, either.
An analysis of all the medical data breaches reported to the HHS (Department of Health and Human Services) shows that the loss and theft of digital devices that contained PHI -- such as laptops, external hard disks, desktop computers, etc. -- account for well over half of all data breaches at HIPAA-covered entities. Full disk encryption is a very efficient at preventing these types of information security incidents. And, of course, HITECH's Breach Notification Rule provides safe harbor from reporting data breaches if strong encryption was used to protect patients' sensitive medical information. After NYU's situation last year, one would assume that devices would have been encrypted by now, but apparently not.
An analysis of all the medical data breaches reported to the HHS (Department of Health and Human Services) shows that the loss and theft of digital devices that contained PHI -- such as laptops, external hard disks, desktop computers, etc. -- account for well over half of all data breaches at HIPAA-covered entities. Full disk encryption is a very efficient at preventing these types of information security incidents.
And, of course, HITECH's Breach Notification Rule provides safe harbor from reporting data breaches if strong encryption was used to protect patients' sensitive medical information.
After NYU's situation last year, one would assume that devices would have been encrypted by now, but apparently not.
Related Articles and Sites:http://www.med.nyu.edu/about-us/potential-data-breach-7-23-2012