Data Encryption Software: Colorado Department of Health Care Policy and Financing Loses Disk, Causes HIPAA Breach.
The Colorado Department of Health Care Policy and Financing has announced that over 3,500 medical-aid applicants’ information was lost when a disk was lost en route to a state agency. The disk does not appear to have been protected with data encryption such as AlertBoot.
Nearly 3,600 Affected
According to the denverpost.com, HCPF officials have said that 3,590 people’s protected health information was included in the missing disk. Although dates of birth, SSNs, and other personal information that is used in identity theft was not included, the disk did contain names, addresses, and state identification numbers.
The breach was discovered on May 6.
HIPAA Breach Notification Rules
The HCPF made it clear that the reason why they were announcing the breach was due to HIPAA. According to a HIPAA amendment in the HITECH Act of 2009, and as interpreted by the US Department of Health and Human Services (HHS), any medical HIPAA-covered entities that experience a breach must notify patients that were affected by said breach (but only if protected health information is involved).
No ifs or buts…unless that information was protected with encryption software. Not just any encryption, but strong encryption (such as AES -256). Otherwise, the entity that was entrusted with the information must notify patients and the HHS, which will in turn publicize any breaches involving 500 or more patients.
I must admit that I’m surprised that information still gets sent via an unencrypted disk. But maybe I shouldn’t be. After all, it happens more often that you imagine it would. And, in the current environment of hacked servers and misdirected email (and regular mail, for that matter), perhaps it makes sense.
But why not have a requirement to send it in encrypted format? The encryption password can still be sent over email, and the only way that can cause damage is if someone manages to intercept the email and the package.
And that is definitely more secure than sending something unencrypted via mail.
Related Articles and Sites: