Cardiology Consultants Inc. is notifying patients that a computer with ultrasound images was stolen. They have admitted that data encryption was not used to secure the data, although “a special key” was required to access the information.
According to pnj.com, Cardiology Consultants is notifying about 8,000 patients that their names, dates of birth, medical record numbers, exam dates, ultrasound images, and, in some cases, the reasons for performing the ultrasound were on the stolen laptop. Thankfully, financial information nor SSNs were included.
If I had to assign a risk level to this particular incident, I would say there is low risk (had encryption software been used, I would have said that there was negligible to no risk).
Why low risk? If the data is accessed, the thief could decide to use the information in what’s called “social engineering” to obtain more rewarding information. For example, if someone’s last name is unique, and their home number is listed publically, one could pose as a doctor (with ultrasound information on hand) to obtain someone’s SSN (oops…we seem to have the wrong one on file, by the way; would you be kind enough to give it to us again?)
It sounds far-fetched until the day you actually fall for it.
Further according to pnj.com, “because of the proprietary configuration of the computer, it is unlikely that the computer’s information can be accessed by the average user,” and “the computer does require a special key to access the data.”
Hm. Not sure what to make of those statements. It seems to imply that password-protection is in place, but as I’ve covered it before, password-protection is not really security. I would much prefer to see some kind of disk encryption being used on the computer, or at least file encryption to protect just the digital documents.
Related Articles and Sites: