Hospital volunteers and patients at Hong Kong’s Queen Mary Hospital are at risk because of a computer data breach. Two desktop computers and an external hard disk were stolen, and it looks like drive encryption software was not used.
One of the stolen computers contained the information of 700 cancer patients and dozens of volunteers: Chinese and English names, ID card numbers, phone numbers, and addresses. ID card numbers across the world are regularly traded in the electronic underground market, since they can be used for bypassing on-line verification services.
It’s not apparent whether the thieves were after the data or not. Besides the computers and the hard disk, three computer monitors were also stolen. Seeing how this is a literal break-in–door locks were broken and there were other signs of forced entry–it could very well be that thieves just wanted to get their paws on anything of value.
On the other hand, once you have such goods in your hands, it doesn’t take much to run cheap software that looks for sensitive data. After all, if a thief steals a car, he’ll probably go through the glove compartment and trunk as well, just to see what’s in there. I don’t see why it would be any different for a computer.
Hard Drive Encryption Software Would Have Helped
This is not the first time a hospital in Hong Kong had to announce the breach of patient data. About a month ago, two other HK hospitals announced a data breach, and I’ve also covered numerous cases of lost or stolen USB memory sticks and computer thefts in the past.
Perhaps I shouldn’t be, but I’m surprised when I hear that computers are not protected with encryption software when it comes to Hong Kong. If a data breach happens in the US, it’s kind of understandable because the country is so large: one might not hear about a breach or what it can be done to contain it, etc.
Hong Kong has something on the order of 6 million people and a land area about 5 times of Boston. In other words, it’s a pretty small city but densely populated (fourth highest population density in the world, according to Wikipedia). I bet you can’t help but overhear–two tables to the right, while you’re ordering steamed dumplings–what medical illness a stranger’s cousin caught.
My guess is that most medical establishments know of the dangers of not having their machines adequately protected. Which in turn implies that a conscious decision was made not to use data encryption programs in this case.
A shame, if this true. While hard disk encryption cannot prevent all types of data breaches, it is very useful for preventing those related to the physical theft of computers and other digital data storage devices.