According to a physician’s own website, the medical office of Dr. Jeremiah J. Twomey, M.D., was vandalized during the weekend of December 31, 2011, resulting in the theft of patient data. However, the information was protected with drive encryption software — not unlike AlertBoot, it appears — so the information remains safe. Or does it?
It was not revealed how many patients were affected by the breach, although we do know that “names, addresses, medical conditions, diagnoses and, in some instances, Social Security numbers and dates of birth, were contained on the stolen hard drive.”
Also, it’s quite evident that disk encryption software was used to protect the external hard disk, as can be evidenced from the passage, “Dr. Twomey has encrypted all data that is maintained electronically to ensure that personal and confidential health information is stored and handled in a secure manner,” which allows the doctor’s press release to claim that “unauthorized use of this data is unlikely.”
It’s possible to make the above claim if, say, file encryption had been used, since such a solution is equal in power to disk encryption (more often than not, they use the same encryption algorithm).
However, file encryption leaves too many potential, uncovered cracks in the data security landscape: temporary files, files that were not encrypted (despite one’s memory of having done so), hidden files, and more. In contrast, encryption software that is designed to protect the entire drive (hence the name “full disk encryption”) suffers not from such setbacks because everything on the disk is encrypted, literally.
You Know What’s Weird? The Fact That We Know About This
One interesting thing to note is that the sole source for this news is a press release by Dr. Twomey, who appears to have been aided by ID Experts in his quest for public broadcasting.
It’s interesting because, if all of the information was truly encrypted, why the public broadcast? Under HIPAA and HITECH, if protected health information (PHI) is guarded with encryption, safe harbor is granted from going public with the breach. This means you:
Don’t have to contact affected patients (you might say “unaffected patients” due to the presence of encryption. Their data was stolen but they can’t be affected because its encrypted)
Don’t have to put a notice on your website about the breach
Don’t have to contact “prominent media outlets”
Don’t have to contact the Department of Health and Human Services (HHS)
And yet, here we have a situation where the doctor:
Appears to have set up a website for the express purpose of publicizing the breach, a step above what the HHS requires: A simple WHOIS lookup shows that the site was created on February 1, 2012, and there is barely any information related to the business. Plus, the domain name is set to expire in one year, further indicating that this site is not meant to be a permanent business front on the internet.
Has arranged for fraud resolution for one year and other services to all affected patients that care to sign up on the offer. This is not required under HHS and it’s certainly not required if all data was encrypted.
Has alerted the HHS and affected individuals
I’m getting mixed signals here. Was all of the information encrypted or not? Is the risk of the data’s unauthorized use low or not? The actions on Dr. Twomey’s part seem to contradict his initial statement. It could be that he’s trying to cover all his bases, but he’s already done that by using encryption.
The only answer that explains all of the above is if the encryption used by the doctor was not strong enough. That is, weak encryption was used which, despite being infinitely better than password protection or nothing at all, does not conform to HIPAA / HITECH rules and thus safe harbor is not granted.
Related Articles and Sites: