in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based data and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based data and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

PHI Encryption Software: Advocate Medical Group Data Breach Affects 4 Million

Over four million people are affected by the theft of four desktop computers from Advocate Medical Group.  The computers were not protected with medical data encryption software, which runs counter to most HIPAA experts' recommendations.  The one silver lining here for AMG is that there is still time left until compliance with the HIPAA Omnibus Final Rule (but, frankly, that hasn't stopped HHS from handing out million-dollar HIPAA fines to covered-entities that should have known better).

Enough Information for ID Theft

According to chicagotribne.com, the computers were stolen on July 15.  Burglars broke into an administrative building and stole four computers that contained names, addresses, SSNs, and dates of birth.  The chicagotribne.com points out that financial information and medical records were not stolen.

However, the information that was stolen is enough to fetch some good money in the black market.  The value of names and SSNs tends to vary, but such information can go as low as pennies per name – which means that the thieves could get at least $40,000 by selling the data (but probably much more.  Quantity has a quality all its own, after all.  Not that I make it a habit to quote despotic leaders).

The breached information goes as far back as the early 1990s..  One year of free credit monitoring is being offered to people whose information was stolen.

Desktop Computer Encryption

One of the more upsetting aspects about this story is that security, in all of its forms, was severely lacking.  The computers reportedly had password-protection but most people already know that it cannot be relied on to protect data.  The building itself didn't have any physical security either.  Security cameras are present but the office was "not equipped with an alarm."  It's also apparent that the company didn't have 24/7 security staff at the time of the burglary.

Under the circumstances, it's almost as if the company believed that these desktop computers didn't require meaningful security because...they're desktop computers.  You know, just like you wouldn't use a $200 bike lock on a weathered Walmart bicycle with a tattered seat and an extremely rusty chain.

The problem is, thieves are willing to steal anything if they think they can get away with it.  Desktop computers are not sexy, but they are bankable – sell it for cheap or sell it for parts.  And, the data on it takes on the same form regardless of the device: laptop, desktop, netbook, tablet, smartphone, etc.

With the HHS's Office of Civil Rights handing out million-dollar penalties for HIPAA breaches every six months or so (they can choose to be picky on who to make an example out of – there are thousands of reported data breaches each year, and growing), it's perplexing that any covered entity or business associate is willing to take a short-sighted approach to PHI protection.
Related Articles and Sites:
http://www.chicagotribune.com/business/ct-biz-0824-advocate-20130824,0,1314049.story
http://www.phiprivacy.net/personal-data-for-4-million-patients-at-risk-after-burglars-snatch-computers-with-advocate-medical-groups-patient-information/
 
<Previous Next>

HIPAA Breach Prevention: How Beth Israel Deaconess Averted A Potential Disaster

Password Security: Hashcat Can Crack 55 Character Passwords

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.