Medical laptop encryption like AlertBoot disk encryption is both effective and affordable when it comes to securing protected health information (PHI) . So why is it not used as often as it should be? The question is prompted by a data breach at Alere Home Monitoring, which is in the news due to the loss of a laptop computer that led to 100,000 breach notification letters.
According to the fine investigative work by Dissent at phiprivacy.net, we know that Alere Home Monitoring suffered a data breach on September 23, 2012. However, it looks like the company was only alerted of the data breach around October 1 (about a week later). According to sources, found by Dissent, a laptop computer was stolen from a parked car on September 23, among other items. The laptop was password protected; however, there is no mention on whether patient encryption software was used to protect the data. On the other hand, notification letters to one hundred thousand people are generally a dead giveaway that cryptographic solutions were not used. The stolen data included names, addresses, dates of birth, Social Security numbers, and diagnoses. The police have been notified, and one year's worth of identity protection is being offered to those affected. Apparently, not all were clients of Alere. There are those who are being notified could have dealt with QAS, Inverness Medical, or Hemosense -- although, Dissent notes that she can't confirm that the information is accurate. The relationship between these three and Alere, according to cap.org is that Alere Home Monitoring was formerly Inverness, and that the company acquired HemoSense, QAS (aka, Quality Assured Services), and Tapestry. The last one was not mentioned in connection to the breach.
According to the fine investigative work by Dissent at phiprivacy.net, we know that Alere Home Monitoring suffered a data breach on September 23, 2012. However, it looks like the company was only alerted of the data breach around October 1 (about a week later).
According to sources, found by Dissent, a laptop computer was stolen from a parked car on September 23, among other items. The laptop was password protected; however, there is no mention on whether patient encryption software was used to protect the data. On the other hand, notification letters to one hundred thousand people are generally a dead giveaway that cryptographic solutions were not used.
The stolen data included names, addresses, dates of birth, Social Security numbers, and diagnoses. The police have been notified, and one year's worth of identity protection is being offered to those affected.
Apparently, not all were clients of Alere. There are those who are being notified could have dealt with QAS, Inverness Medical, or Hemosense -- although, Dissent notes that she can't confirm that the information is accurate. The relationship between these three and Alere, according to cap.org is that Alere Home Monitoring was formerly Inverness, and that the company acquired HemoSense, QAS (aka, Quality Assured Services), and Tapestry. The last one was not mentioned in connection to the breach.
Dissent also offers some questions: Why weren't the data encrypted? Why was a laptop left in an unattended vehicle? Was there a substitute media notice? If so, where was it published? Why is there no prominently displayed notice on Alere's home page? Will HHS actually fine entities for leaving unencrypted data in cars? All of these questions -- quite valid, seeing how it was difficult to obtain information regarding this case -- are a result of improperly securing patient information. If you work for a HIPAA covered-entity, and you use a laptop computer that is full of PHI, the use of laptop disk encryption software is a no-brainer: Not only does encryption protect data from unauthorized access, it also provides safe harbor from multiple data breach rules and regulations, both at the federal and state level. Granted, just because you use a laptop chockfull of PHI doesn't mean you're required to use encryption. If, like me, one uses a laptop computer as a replacement to a desktop computer, then whatever security measures you had in place for the desktop can be applied to the laptop (arguably. But why take the chance?) Seeing how the laptop was stolen from a car, however, encryption should have been used in this case.
Dissent also offers some questions:
All of these questions -- quite valid, seeing how it was difficult to obtain information regarding this case -- are a result of improperly securing patient information. If you work for a HIPAA covered-entity, and you use a laptop computer that is full of PHI, the use of laptop disk encryption software is a no-brainer: Not only does encryption protect data from unauthorized access, it also provides safe harbor from multiple data breach rules and regulations, both at the federal and state level.
Granted, just because you use a laptop chockfull of PHI doesn't mean you're required to use encryption. If, like me, one uses a laptop computer as a replacement to a desktop computer, then whatever security measures you had in place for the desktop can be applied to the laptop (arguably. But why take the chance?) Seeing how the laptop was stolen from a car, however, encryption should have been used in this case.
Related Articles and Sites:http://www.phiprivacy.net/?p=10627http://www.valvereplacement.org/forums/showthread.php?41003-**WARNING-LETTER**-from-Alere