Aultman Health Foundation has posted a press release on their website, announcing that a laptop computer with patient information was stolen. It is not known whether laptop encryption software was used to protect the patient data, although it looks like encryption is used at the company.
Was it Used in This Instance?
The affected patient information includes names, addresses, dates of birth, telephone numbers, SSNs, insurance identification numbers, and “health information related to home health services.” I’m not sure what that means, although I’m imagining it to be treatment, medical diagnoses, etc. Databreaches.net quotes a publication (since archived) that 13,800 people were affected by this breach.
Aultman notes that because of “several safeguards that were in place,” it doesn’t believe that the information was accessed. Besides the use of password-protection, however, it doesn’t reveal what those safeguards were.
In a sense, that’s a smart move. For example, if there was a GPS tracking device that works once someone goes on-line, going public with that fact can abet the criminal. On the other hand, withholding such details only leads to people with a healthy dose of skepticism–like yours truly–to wonder whether adequate protection was in place, and whether Aultman was right in concluding that the information cannot be accessed.
Had they revealed that the stolen laptop was protected with encryption software, I would have readily agreed with their conclusion. Assuming that the password to access it had been kept safe, of course.
Encryption Used at Company
It’s not as if the company is not aware about encryption technology. To begin with, it sounds like they might fall under the auspices of HIPAA regulation, so encryption must have been considered at some point (and recently, too, since the HHS has been weighing in on their rules ever since HITECH was passed by Congress).
Second, they specifically mention the “enhancement” of encryption on all laptops used by Aultman HealthCare in Your Home as a step they’ve taken to reduce future risks, as well as a couple of other steps, which I applaud them for.
But, that begets a question: what is it to “enhance” encryption?
Is it a fresh install? For example, were laptops in the “in Your Home” program not encrypted? Or maybe some were, others weren’t, and the company decided to go after the others?
Perhaps it means that old encryption was replaced with stronger encryption?
If Aultman’s computer was secured with laptop encryption such as the likes of AlertBoot endpoint encryption, it behooves them to say so in this day and age. To begin with, the effectiveness of encryption is not impacted by announcing it publically: the thief is bound to see it when he turns the computer on, and encryption is anything but hidden. Second, it sends a message out that the information really is protected.
Related Articles and Sites: