The law firm of Baxter, Baker, Sidle, Conn & Jones lost an external hard disk drive which contained medical records. While the loss of medical records in of itself does not trigger a HIPAA breach notification, the firm was representing a HIPAA-covered entity, the Preferred Professional Insurance Company, meaning it was a business associate. As such, the lack of data encryption software protecting the missing disk represents a notifiable data breach under HIPAA/HITECH.
Firm’s Backup Device?
On reading baltimoresun.com‘s coverage of the events, it sounds like the missing drive served as the backup solution for the entire firm:
The data-storage device held a complete back-up copy of the firm’s data, including medical records related to the stent malpractice claims, along with patient names, addresses, dates of birth, social security numbers, and insurance information.
The lack of encryption, then, represents a greater threat. Assume that medical data were not present in the backup disk; wouldn’t any data being held by a law firm be a candidate for cryptographic protection, just in case someone loses something?
And the chances of losing something were quite high:
…the hard drive — a small metal box that was about 8 inches long by 6 inches wide — was taken home nightly as part of the company’s security system, and mistakenly left behind on the train one evening. The woman who forgot it returned for the device within 10 minutes, the firm said, but it was already gone.
This is terrible in terms of data security. It reminds of me a 2007 data breach in Ohio, where backup tapes were stolen from a car. In that particular case, an intern took the backup tapes home every night. Now, having backup tapes in a separate location from your original data only makes sense: what if an earthquake hits, or the building burns down to the ground? But having someone carry it on a daily basis? I have read recommendations that backup tapes should be transported to a secure storage location using armored trucks. Obviously, someone just carrying it around on the commuter train pales in comparison.
Of course, I’m not saying you must use an armored truck. However, I am saying that you must have some kind of data protection. For example, handcuff the bag with the drive to your wrist. That’s supposedly how the Secret Service does it with the nuclear football.
If that’s too conspicuous and something of a hassle in our metal detector era, then at least use encryption software. It’s practical, and it works (and, apparently, the law firm agrees: it’s decided to encrypt its data going forward).
Related Articles and Sites: