The Ohio District 5 Area Agency on Aging has announced a data breach that affects 78,000 people in total, if I’m reading things correctly. The breach was triggered when a laptop computer was stolen. The implication seems to be that hard drive encryption like AlertBoot was not used to secure protected health information.
The laptop computer was stolen from an employee’s vehicle on June 3. The employee was a case manager, and the car was parked at a library in downtown Mansfield (per wmfd.com). It contained personal health information (PHI) on 43,000 people, and contact information on an additional 35,000 “related clients’ personal representatives” are affected.
Just what type of patient information was lost (PHI can range from medical diagnostics, to patients’ names, to their credit card numbers) has not been specified.
The PASSPORT program stands for “Pre-Admission Screening Providing Options and
Resources Today.” In a nutshell, it provides alternatives to nursing homes and other forms of age-based institutionalization (hate to put it that way, but that’s what is, essentially). It is funded via Medicaid, which means that the loss of this laptop has HIPAA / HITECH repercussions.
Or does it? The agency director has been quoted that the computer requires two passwords, and hence it would be difficult to be hacked (wmfd.com).
Password or Encryption Software?
The problem with the director’s statement is that it doesn’t really reveal anything. Are the passwords in any way associated with encryption? Or is it literally two passwords? If the latter, it could be that there is less security than the director believes there is.
After all, if the use of passwords alone were considered “security,” why is it that safe harbor is not extended under the HITECH Act when patient data is lost or stolen, whereas the use of medical data encryption does afford safe harbor? (By safe harbor, I mean granting a breached entity the option to not send notification letters.)
Is it because of the encryption lobby? Nope. It’s just that encryption today secures any sensitive data that is worth securing, not because of some conspiracy, but because encryption works.
Related Articles and Sites: