The California Department of Public Health (CDPH) has announced a second major breach. Approximately 9,000 employees had their information downloaded to a personal hard drive, an unauthorized move by an employee.
The use of disk encryption software in this case is a moot point, kind of. Had the employee subsequently lost the hard drive, it would have been an important factor. However, the disk was not lost.
What is important is that the
CDPHincident was discovered by its department’s security detection system, once again providing evidence that there are numerous components that come into play when dealing with data security.
What I wanted to comment on, though, is the fact that the CDPH only managed to go public with the case 3 months after they were aware of the data breach. The reason given? According to healthleadersmedia.com:
Asked why the breach took three months to announce, CDPH spokesman Al Lundeen said in a telephone interview Friday that the incident required a lengthy investigation.
Which is quite rich, when you consider what the CDPH has done to medical organizations for not reporting a breach quickly enough despite claiming the same thing.
Sure, you could argue that these were not patients that were affected, but still… why is sensitive employee information (which includes SSNs in this case) any more important than sensitive patient information?
It appears to me that the CDPH is not playing with a full deck of cards.