Medical Laptop Encryption Software: University of Texas MD Anderson Cancer Center Notifies 30,000 Of Data Breach.

A faculty member with the MD Anderson Cancer Center at the University of Texas had his laptop computer stolen, potentially endangering 30,000 patients.  The laptop computer was not protected with hard drive encryption like AlertBoot, which means not only that data is easily accessible on the stolen device, but that the medical organization probably has a HIPAA data security breach on their hands.

Stolen from Physician’s Home

According to numerous reports, the unencrypted laptop was stolen from the physician’s home on April 30.  There was a two-month delay in sending out notifications, however, as outside contractors ran forensic tests to figure out what type of data was stored on the stolen device.

It was determined that the laptop contained medical record numbers; patient names; Social Security numbers; and treatment and research information.  Which begs the question: why was this laptop not secured with encryption software?  The use of such data protection programs would have prevented the entire fiasco ( the use of a cloud-managed, easily deployable encryption solution like AlertBoot would have been optimal in this case).

Also, it should be pointed out that under HIPAA / HITECH, a covered entity is mandated to contact potential PHI (protected health information) data breach victims.  Under the Breach Notification Rule, covered entities have up to 60 calendar days to contact individuals — although it’s not a 60-day pass to wait (the rules do require to send notifications ASAP.  Sitting on one’s hands waiting for the inevitable is also a violation of the Notification Rule, and possibly grounds for assessing penalties).

In this light, the fact that UT decided to send notification letters as they neared the two-month mark is a strong sign that there are HIPAA issues involved.  Not that I’m accusing UT of just waiting for the inevitable:

M.D. Anderson waited to notify patients until it had a “high degree of certainty” regarding the information, Fontaine said, because the information on the laptop was not consistent for each patient, and the center did not want to cause undue panic.

“We moved with as much dispatch as we could, not wanting to create unnecessary anxiety” for unaffected patients, Fontaine said. []

Stepping Up Their Encryption Program

Due to the data breach, UT MD Anderson has

stepped up its encryption program. The center had been encrypting devices for “quite some time” prior to the theft, Fontaine said. However, factors such as balancing employees’ need to communicate with patients via personal devices and dealing with technical problems caused by encryption had made the process slower than desired. Now M.D. Anderson has brought on additional staff and basically has “opened a 24/7 encryption center,” Fontaine said. []

Deploying encryption is not necessarily easy.  Sometimes, it’s well-nigh impossible (I’ve heard rumors, for example, that at one point that the Veterans Affairs department temporarily shelved thousands of encryption licenses because they had not real way of deploying them….for two years!  They opted to go with a different solution).

In a mobile workforce, the problem is compounded by the fact that the hardware sometimes never makes it back to HQ.  I don’t mean to say that the laptops are stolen.  Far from it, the employee is happily using it, boosting his efficiency.  But, the thing stays at home because it contains sensitive data and you don’t want to be toting that thing around.

This is the type of scenario that AlertBoot FDE solves quite painlessly.  Because the software is distributed over the internet, an endpoint only requires the presence of an internet connection to start the encryption process.  Plus, the only data stored on our servers are the encryption keys (for distribution and backup), meaning that we never handle sensitive data.  And, it comes with 24/7 support.  Plus, a client’s networks are minimally impacted because it’s not initiating the deployment from its networks.

While I can’t make any guarantees, it could be that UT’s tune would be a different one had they opted for a centrally-managed and deployed disk encryption solution.

Related Articles and Sites:

Comments (0)

Let us know what you think