A Portland, Oregon psychologist has alerted approximately 4,000 patients that personal health information was stolen from his car in July, when someone broke into his car and stole his laptop computer and briefcase. While there is no mention of drive encryption software, it’s been noted that password-protection was used to “protect” the data. On a more worrisome note, a backup CD was also in the tray of the laptop.
SSNs, Other Information Missing
The stolen laptop computer, which contained evaluations that included names, SSNs, and diagnoses, is yet to be recovered. The briefcase, which contained individual evaluation records, was found discarded near the scene of the crime.
While it hasn’t been revealed whether these paper evaluation records contained sensitive information as well, the fact that the thief discarded them seems to indicate that he wasn’t really interested in information theft. Rather, he was probably looking for tangible objects.
Another explanation, though, is that one should get as far away as possible, as quickly as possible, from the scene of a crime, so the briefcase was chucked in favor of the laptop. Once he is safe, though, where is the guarantee that the thief won’t go through the contents of the laptop?
Lousy Security: Password-Protection, CD in Tray
The most glaring error, of course, is the presence of the CD in the laptop computer’s CD tray. I mean, forget the issue of whether password-protection actually provides protection or not (hint: it generally doesn’t), the presence of a backup in the CD tray means that any security is for naught, even if encryption software like AlertBoot had been used to secure the contents of the laptop.
There is a caveat, of course: everything would still be secure if the CD had been encrypted as well. So, was it? I guess we’ll find out soon enough. Under HIPAA rules, any breaches that affect more than 500 people must be reported to the HHS, which will go public with the breach’s details.