St. Vincent Hospital in Indianapolis has announced the data breach of 1,200 people. An employee’s laptop was stolen when the employee’s home was burglarized. It is not mentioned whether disk encryption software like AlertBoot was used to protect the data.
Dearth of Details
Frankly, there’s not much to report on. A laptop computer was stolen from an employee’s home, resulting in the breach of names, SSNs, dates of birth, addresses, and “personal health information.” (Personally, I suspect that the last one is actually protected health information; I, too, sometimes get confused on what PHI stands for; at least, I used to, until I read a handful of HIPAA-compliance publications).
The burglary took place on July 25th. It wasn’t revealed whether the employee had been authorized to take the information home, although it wasn’t announced that the employee in question had been reprimanded in anyway (which, could be because he had been authorized to have that data).
Assuming that the employee was authorized to carry this information, one also assumes that St. Vincent had also used encryption software to protect the information. Indeed, under HIPAA, encryption is pretty much required for any portable media that is not secured physically; furthermore, the (relatively) recently passed HITECH Act further strengthens the use of encryption to protect PHI (it might be an interim requirement, but I think pretty much all expect it to be enforced in the end).
Not the First Data Breach
St. Vincent had another, unrelated breach in 2007. In that case, a third party was responsible for the breach (but not for the consequences, seeing how the hospital was the owner of the breached data): they exposed persona information on the internet.
That should have been a wakeup call for the hospital. Usually, the first breach tends to create a domino effect, where other data security weaknesses are investigated and shored up. Between this, HIPAA, and HITECH, I’d have imagined the use of laptop encryption would have been required for all laptops. The question is, was it?
Why do I keep emphasizing the use of encryption? Well, to begin with, it’s the only known, and proven, method for keeping sensitive data secure in the event of a data breach. Even if a laptop, desktop, external portable, etc. is stolen, the information on it cannot be accessed if data encryption was used to secure the information.
Also, under HITECH, the use of encryption means that a data breach is given safe harbor from having to notify patients and the HHS about the “data breach”: since encryption is used, the loss of data does not pose a risk, and hence, no need to report it as a data breach. You know, for the same reason that you wouldn’t report that an empty folder labeled “patient data” has gone missing (what’s the point?)
Furthermore, Indiana is a state that gives the same safe harbor for the same reason: in fact, per state law, it doesn’t even consider the loss of encrypted information a data breach.
The use of encryption, in this particular case, means real protection from potential ID theft for the 1,200 people, as well as compliance with the law, both at the federal and state level. Why wouldn’t one keep emphasizing the use of encryption?
Related Articles and Sites: