According to a letter sent to clients of Desert AIDS Project (DAP), the theft of an office computer has triggered a data breach. It has not been revealed whether the computer in question was protected with drive encryption like AlertBoot. But, a “strong password” was used, so there’s that.
Desert AIDS Project reported to clients and the State of California that a thief broke into DAP offices on April 12, 2012 and stole a receptionist’s computer.
The computer did not contain medical details nor certain personally identifying information (SSNs, driver’s license number, credit or debit card number, health insurance number, or other account numbers). However, there was a spreadsheet that contained client names, staff names, client status (active, discharged, etc), internal client identification number, and date of birth.
The letter goes on to note that the “spreadsheet itself does not include DAP’s name” but that “other documents stored on the stolen computer may reveal its connection to DAP.”
Not to be sarcastic, but so does the fact that the thief took it from the office, doesn’t it? I mean, it’s not as if the computer was stolen from a car parked in a shopping mall garage. The connection to DAP is pretty obvious.
Encryption or Password-Only?
The use of a strong password, unfortunately, is meaningless. A strong password tends to be long, random, and is composed of upper and lower case letters, numbers, and special characters. The password ASF23$GaSDFSAfaSdfsad@TR3r23332rgERVfwfWwGwhLKu,MNwWQF/./.<ewqf would be considered to be a very strong password.
The problem is that if this password is not securing a computer protected with disk encryption, then getting around it is pretty easy. You just pop out the hard drive and connect it to another computer.
In effect, the popped-out drive becomes an external hard drive and the password never comes into play because the operating system on that disk lies dormant (whereas the active operating system is the one set up by the thief or hacker).
When you’re in a business where patient confidentiality is at its utmost, you must ensure that you’ve got more than adequate security. At the same time, you can’t go crazy: DAP probably can’t afford all the things an outfit like Goldman Sachs is using to protect their data.
But, some are more affordable than others while offering enhanced protection. Like centrally managed encryption software that uses the AES-256 to guard a computer’s contents.
Related Articles and Sites: