The theft of a USB flash drive from a University of Miami doctor’s vehicle has led to the breach of patient information affecting 1,219. Drive encryption like AlertBoot wasn’t used to protect the patient data, apparently. As a result, the University of Miami is approaching patients with news of the event, per HIPAA/ HITECH requirements.
UM Posts FAQ
According to a frequently asked questions (FAQ) posted by UM, the car belonged to a Pathologist from the University of Miami Miller School of Medicine. The rear window was broken and a briefcase containing the USB drive was stolen.
Not that it should matter, but the profession helps to explain why the USB pendrive contained (my emphasis):
limited data elements of certain patients who had specimens reviewed by the department of Pathology between 2005 and 2011. This information included name, medical record number, age, sex, diagnosis and treatment information. No financial information or social security numbers were stored on the stolen drive.
Normally, six years worth of data on anything is a lot of data to be carrying willy nilly. For a pathologist, though, this could merely be chicken feed for a larger project tracking the spread of a particular disease through decades.
Which is all the more reason why this particular device ought to have been protected with encryption software: if the user knew that he or she’d be gallivanting around with years and years of data, all the more reason to have the data container encrypted.
HITECH Requires Notification
The University of Miami notes upfront in its breach notification letter that patients are being notified of the incident due to the US HITECH Act. HITECH contains an update to the decades-old HIPAA, the Breach Notification Rule.
This rule requires that breached medical entities (technically, HIPAA covered-entities) notify patients of any PHI data breach breaches, PHI standing for protected health information. Under the rules, nearly anything that can identify a patient is considered to be PHI, including names and addresses.
If more than 500 are affected, the breached entity (UM in this case) must take the breach public by notifying state media and/or making a posting on their website. The Department of Health and Human Services must also be alerted, who will eventually post the breach on their “Wall of Shame.”
Patients must be notified regardless of how many are ultimately affected. They must be sent a letter, although contacting them via other methods is possible under certain conditions. One thing that I’ve noted, and which I think UM might have failed to comply with, is that patients must be notified within 60 calendar days of the breach’s discovery.
Now, I know December and January have 31 days each, and the breach occurred on November 24. This means that, by any measure, UM has violated the Breach Notification Rule, unless (1) the media has gotten hold of this story one week after UM went public with it or (2) the breach discovered until much later than November 24.
My guess is that #2 is what UM was dealing with. Thanksgiving Day fell on that date, ironically enough. I can already picture it: pathologist comes back from the holidays, say, a week after, and finds the car window broken. Goes into panic mode. A day passes and the situation regarding the USB drive dawns on him or her, and gets in touch with the employer.
UM Already Encrypts Laptops
In the FAQ, the University of Miami noted that the establishment already uses encryption software to protect their portable medical computers. In other words, whole disk encryption.
One of the setbacks (the contra in “pros and cons”) is that disk encryption protects the disk. People think it protects the data, but it doesn’t. It protects the disk by encrypting the disk. And, because the disk is encrypted, any data saved to the disk is also protected.
Yes, it sounds like I’m splitting hairs, but there’s a reason behind this pedantic madness. If I point out the above to you, you’ll easily grasp and understand that data copied off of an encrypted disk is not protected anymore. Why? Because disk encryption protects the disk, not the data.
It’s the reason why many encryption software vendors offer ways to protect what’s going on with your computer’s USB port. AlertBoot, for example, offers gratis the ability to encrypt USB devices automatically whenever they’re plugged into an already-encrypted computer.
I’m certain UM could have used such a program (in hindsight).
Related Articles and Sites: