16,000 current and former patients of Dunes Family Health Care are being notified about the loss of a hard disk drive that was being used as backup storage. The drive was stored in a “locked, fire-proof area” but it doesn’t sound like hard drive encryption like AlertBoot has been used.
No Financial Data – Who’s the Victim?
The drive did not contain any “patient accounting system records” (which I take to mean financial data), although many do contain Social Security numbers, names, addresses, dates of birth, and/or clinical information.
A Dunes Family spokeswoman had this to say about the breach: “I want people to know that we’re the victim of a crime here, the clinic is, and we’re the ones paying for it.”
Well, yes, but also no. Yes, Dunes is a victim. First, their patient data — which Dunes is charged with protecting — was stolen. Second, the breach did not occur by Dunes’s negligence, but by “the organization responsible for downloading and storing the clinic’s electronic records.
(Hmm…on my second reading, I’m not sure if this is actually the case. It states that “the organization” found the drive missing; it’s never specified where it was missing from. It could very well be that a contractor was visiting Dunes’s premises to perform the job. If so, it would be Dunes’s oversight, not the contractor’s).
Regardless, it’s quite clear that Dunes is a victim here. However, the spokeswoman’s statement also includes a misstatement of sorts: Dunes is not the only one “paying for it.” The 16,000 patients they’ve had to contact are victims as well. They may not be paying for one year of ID theft monitoring (Dunes is taking care of that), but what about the second year, or the third? After all, names and SSNs keep forever: you could pull off a crime 10 years from now using the same data.
And, what if there fraud is carried out using one of the names and SSNs found in the missing hard drive?
Encryption Software: Now They’re Using It?
Dunes had this to say about their security going forward:
We are committed to safeguarding our patients’ sensitive personal information, and have taken immediate steps to fortify the measures protecting our back up files. Those files are now being stored under increased physical security and are encrypted. [ Dunes breach notification letter]
Well, that’s definitely good news. The use of cryptographic programs to safeguard data is definitely a recommend one — not just by this lowly blogger, but by many professional organizations, and state and federal laws. For example, HITECH (which amended HIPAA), offers respite from the “Breach Notification Rule” if patient health information is protected with encryption that conforms to NIST standards.
(In fact, it sounds like Dunes was guided by HIPAA rules when going public with the breach. This might be “obvious” because they’re a health care organization; however, there are other “clues” in the details: they sent out the letters, notified the media to alert those they couldn’t reach via mail, and did so within 60 days of discovering the disk was missing.)
Of course, this beggars the question, why did Dunes not encrypt the disks to begin with? Probably because the use of encryption tools are not required under HIPAA/HITECH. They’re addressable, meaning that they’re essentially optional: after you weigh the risks, you decide whether encryption is necessary or not.
Most organizations are wrong to think that way. With data breaches increasingly being carried out by “internal agents,” aka employees, encryption systems are de rigueur going foward.