Hard Disk Encryption On OHSU Stolen Laptop Not Present. Some Still Don’t Understand Password Protection.
Oregon Health & Science University has alerted nearly 900 patients that a laptop computer belonging to an OHSU employee was stolen from his hotel room in Chicago. OHSU believes that the risk of identity theft is low because Social Security numbers were not included as part of the laptop computer’s data. However, other information such as names, phone numbers, dates of birth, gender, and some medical information were included. Makes me wonder why this laptop wasn’t using laptop encryption software to protect its contents. After all, HIPAA regulations would kick in the moment the laptop left the hospital’s premises, no?
Low Risk of Identity Theft? Maybe, Maybe Not
Because SSNs were not included, the hospital’s position is that there is a very low risk of ID theft. I’d like to say, sure, if you’re a lazy criminal. But if you’re an enterprising criminal, you’ve got plenty to get you all the information necessary to perpetrate ID theft.
OHSU has pointed out that the medical information on this machine was “medical diagnosis category and category of treatment — but not the specific treatments.” But wouldn’t this be enough for a criminal to call the person and finagle all the necessary information?
The names and phone numbers are available. A little rummaging of files would probably identify the machine as belonging to OHSU (emails, missives with electronic letterheads, etc.). What’s preventing a criminal from calling a Mr. or Ms. Jones (the gender of patients was part of the data) as a rep from OHSU and asking blatantly for his or her SSN? Couldn’t the thief claim that it’s needed in processing the medical insurance papers, you know, regarding “pancreatic cancer”? (Let’s say the diagnosis was “pancreatic cancer” for Jones.) And there’s a good chance that Jones would give the information. After all, if anyone knows Jones had issues with pancreatic cancer, it’s the hospital.
Password Protection Was Used
The letter sent out to affected patients pointed out that the laptop computer had password protection on it. Password protection, unfortunately, while a deterrent, is not an obstacle. It’s like that “police line – do not cross” tape. If there’s no officer standing guard, only those who follow the law will not cross the line. Criminals, by definition, do not follow the law.
Likewise, password prompts under Windows will only prevent those who’re not desperate to find what’s in the computer. Otherwise, it’s just a matter of popping out the hard drive and connecting it to another computer. Tired of me harping about this? I can’t help it:
The computer was password protected, which is about the only safety measure you can take except for strapping the laptop around your neck and even then someone would steal it if they wanted. [Posted by pradoyolanda at oregonlive.com, my emphasis]
The above person is wrong. There’s plenty more OSHU could have done.
Encryption Should Have Been Used
There are two ways to ensure the patient information is not accessed on the stolen laptop: One, delete the information. Generally, this is a step taken prior to losing the laptop and needs constant monitoring. The second way is to have the contents of the laptop encrypted. The use of hard drive encryption or file encryption would have ensured that only people who know the username and password can access the data. This is different from normal password protection, where one does not need the username and password to bypass the prompt.