Computers were stolen from the Reno offices of the University Health System, a clinical program run by the University of Nevada School of Medicine. It appears that full disk encryption software like AlertBoot was not used to secure patient data, since potentially affected patients are being alerted that their information “may have been viewed without consent,” something that is implausible with the correct data security software in place.
Two Computer Servers Stolen
According to kolotv.com, two computers (and only these two computers) were taken from the aforementioned offices on June 11. There were no signs of forced entry.
The computers not only contained information on patients–names, Social Security numbers, medical information, and account numbers–but also personal information for some physicians.
It is not known at this point how many people are affected, although the university started mailing data breach notification letters last week. (It bears mentioning that the university is mailing out breach notifications to people “whose information would not have included details like social security numbers.”)
Complying with Nevada Breach Notification Laws and HIPAA?
There are two laws that the University has to keep abreast of…but only if they had not used encryption software to safeguard patient information. Besides protecting patients from the (real, in this case) possibility of becoming ID theft victims, the use of encryption affords certain protections from the law.
At the federal level, my guess is that the university also has to deal with HIPAA, since their clinic is a covered-entity under federal laws. As I’ve covered before, the latest decision by the Secretary of the HHS, via the HITECH Act, grants safe harbor from sending breach notifications to patients as long as encryption is used to protect patient data (also known as PHI, protected health information).
Related Articles and Sites: