North Carolina residents who were being service by Omnicare, Inc., a Kentucky company that focuses on pharmaceutical care for senior citizens, were affected by the theft of a laptop. The breach involved 8,845 patients. It wasn’t revealed whether hard disk encryption like AlertBoot was used to protect the contents of the notebook computer, although the notification letter did note that “advanced technological skills and tools” were necessary to access the database.
Contractor to Blame
The laptop was being used by a traveling Consultant Pharmacist who visits the various nursing homes and rehabilitation facilities serviced by Omnicare, prescribing medication therapies. Omnicare has not specified how or where the laptop was stolen from (“a parked vehicle” seems to be a “fashionable” breach venue when traveling contractors are involved, although who knows what the specifics are in this case).
Social Security numbers and “limited amounts of health information” were stored in the laptop. Repeating myself, the company has assured breach notification recipients that “advanced technological skills and tools” were required to access the information.
Advanced is Such a Qualitative Term
Advanced technological skills and tools. What are they exactly? I mean, are we talking about the skills that are used by employees that work for organizations like the National Security Agency? There are people in this world who can hack into government databases. There are others who can’t but can use computers. There are those who cannot use computers very well, or at all. And, there are those who have no idea what a computer is or does. Each of these groups would see the previous one as “advanced.”
So, what is “advanced,” exactly? Here’s an example of why this is a legitimate point of confusion: there is software, available for free on the internet, that can be used to brute-force the password to encryption-protected RAR files (files archived/compressed using win.rar archiving software).
(Because the encryption used on RAR files is AES-128, so strong that it would take decades — perhaps centuries — to guess the encryption key, comparatively weak passwords are targeted by hackers to gain access to the archived files).
This brute-forcing software — again, freely available — is easy to use. It doesn’t take advanced skills to use it, just the ability to point and click (and search on Google). Granted, it took elite skills to create it, but anyone with half a brain can use it to break into a protected file.
So, again, what exactly is “advanced?” The term is too qualitative. A more quantitative answer would be something like “the laptop computer was protected with AES-256 encryption software” or “password-protection was set up but there was no encryption” (the latter, I should point out, is bad). With such quantitative statements, people would be able to figure out how much of an actual risk they face.
Or maybe not, actually. After all, most people involved in data breaches will not be affected by it. I guess it would be more accurate to say that such quantitative statements allows us to better judge whether a company did an excellent, good, mediocre, or terrible job of securing data. Which is why, without proper legislation, companies (or at least the lawyers representing them) won’t easily reveal it.
Related Articles and Sites: