Spectrum Health Systems, a non-profit organization that focuses on helping substance abuse patients, has gone public with a data breach. A hard disk drive with patient information was stolen. While Spectrum had policies where all computer devices were to be protected with data encryption, it looks like this particular device fell afoul of established policies.
Break-in in Worcester
Here’s a fun fact. Worcester is pronounced “Woos-ter” (or “Woos-tah” if you decide to go native) and not “Wor-chest-er” or whatever other pronunciation you can come up with.
Regardless of how it’s pronounced, it’s the setting for the Spectrum data breach. On August 24, a desktop computer and a laptop computer were stolen. Neither of these machines was holding sensitive information. On August 30, it was found that a “non-portable hard drive” was missing, which is being attributed to the August 24 theft.
This non-portable hard drive contained sensitive patient information for people who had used “Spectrum’s inpatient and outpatient programs in Westborough, Worcester, Milford, Framingham, Southbridge, Fitchburg, and Weymouth” between 2002 and March 2011. The information in the stolen hard drive included “names, mailing addresses, phone numbers, dates of birth, Social Security numbers, diagnostic codes, and medical insurance numbers.”
While double password-protected, the hard disk was not protected with encryption software. Spectrum reveals in their website that it conducted an investigation to see whether “all portable and non-portable electronic devices containing personal information are encrypted consistent with its written information security plan.”
According to telegram.com, the hard drive was “being used temporarily.” Perhaps this is the reason why it was not encrypted.
Questions, Questions, Questions
There are lots of questions to this story. The one that tickles me is, what is a non-portable hard drive?
Definition of PORTABLE (http://www.merriam-webster.com/dictionary/portable)
a : capable of being carried or moved about <a portable TV>
b : characterized by portability <a portable pension>
c : usable on many computers with little or no modification <portable software>
Technically, the only way a hard drive can be non-portable is if it was too heavy or too big. I don’t think such drives have been in production since the late 1960s, when they were the size of a “double wide refrigerator.”
In all due probability, the “non-portable” label indicates that the hard drive was meant to stay inside a computer, possibly a desktop computer. In reality, all hard drives are portable due to their size. In fact, the hard drives found in computers are the same hard drives found in portable ones. The latter just happens to be inside a plastic or brushed aluminum encasement with a USB port (and priced relatively higher). That the thief stole two whole computers and this computer disk probably indicates that the disk was just lying about (it appears unlikely that the thief would take out the hard drive from one computer and steal a desktop computer at the same time).
Of course, that’s even more of a reason to have it encrypted than not…
Related Articles and Sites: