Disk Encryption Software: University of California at Los Angeles Health System Data Breach, Over 16K Affected.
UCLA Health System — which includes Ronald Reagan UCLA Medical Center; Mattel Children’s Hospital; Santa Monica UCLA Medical Center and Orthopedic Hospital; and Resnick Neuropsychiatric Hospital, along with outpatient clinics — has announced a data breach involving over 16,000 patients: An external hard drive that was protected with data encryption software was stolen.
Normally, the loss of encrypted patient data is not a data breach. In this case, however, a slip of paper that contained the password is also missing.
Stolen from Former Employee
According to various reports, the information on the now-stolen device included names, dates of birth, addresses, and medical record numbers and other information. SSNs and other financial information, and complete medical data, were not included.
The information dates from July 2007 to July 2011 and affects a total of 16,288 people.
Some report that the hard drive was stolen from a doctor’s home. Others note that it belonged to a former employee who left UCLA in July 2011. According to a UCLA statement, the “hard drive belonged to the former employee ‘who maintained the information on the device in order to perform necessary UCLA job duties.'” I guess it could be a doctor who left the employ of the hospital, but why not just state that?
As noted before, encryption software had been used to protect the patients’ data. But, a slip of paper with the password to access the encryption on the disk is also missing.
I’m not aware that HIPAA / HITECH or the California breach notification law has any provisions regarding the loss of passwords along with the encrypted disk. In fact, I seem to recall that such criticisms surfaced when both came into place. So, UCLA should be applauded for stepping forward when, from a legal standpoint, they could easily have hidden the situation while not breaking any laws.
This situation couldn’t be more tragic. On the one hand UCLA had done everything right. Well, kind of: there is the issue of why a former employee was allowed to keep all this data for a couple of months after parting ways with the hospital.
But, the use of encryption and the fact that they ensured the doctor should have had access to the data belie the fact that UCLA was paying attention to patients’ data security needs. In fact, when you consider that the breach is a result of a missing slip of paper, which UCLA couldn’t possibly have controlled, it seems unfair that they should be blamed for what happened.
Is Writing Down Passwords a Bad Thing?
Coincidentally, I’ve been following an email debate on how long a password has to be. As in most such cases, the debate veered off its course, growing tangential branches into related subjects.
One of these was whether writing down passwords is a bad thing. The above seems to answer the question quite well, at least on the surface.
It’s my opinion that writing down a password is not necessarily a bad thing. Rather, the bad thing is to write down the password and leave it next to the device that it corresponds to. Write down the password if you think you’ll forget it (and you have no other way to recall it, such as a help desk). Just keep it away in a safe place.
For example, I have an extensive library and several of my books hold several loose-leaf pages. Only one of those has the correct passwords intermingled with fake passwords on the same page. And, it’s literally passwords only: which devices and sites they give access to, that’s not noted.
Related Articles and Sites: