The University of Texas MD Anderson Cancer Center has announced a data breach which could affect 2,200 patients. According to sources, a USB flash drive was lost in an employee shuttle bus. The device did not use full disk encryption like AlertBoot to safeguard its contents.
Third Data Loss This Year, Second Breach
This is a bad year for MD Anderson. In January, a stolen laptop almost impacted 4,000 patients; thankfully, the device was protected with encryption software. Also, it belonged to PriceWaterhouseCoopers.
In April, over 29,000 patients were contacted when a MD Anderson laptop was stolen. The laptop was not encrypted.
Now, another 4,000 people are being contacted because of a lost USB thumbdrive:
The data on the lost drive included patients’ names, dates of birth, medical record numbers and diagnoses and treatment and research information. It did not contain Social Security numbers or other financial information, M.D. Anderson said. [ beaumontenterprise.com]
The cancer center has announced that the USB drive was lost in an employee shuttle bus in July.
Encryption Should Have Been Used
While there is no guarantee that the information contained in the lost USB drive will be used in an unauthorized manner, it’s also true that there is no guarantee that it won’t be used, either. In other words, there is no way to tell. In a sense, it’s a coin toss.
That’s one of the reasons why data encryption is used to secure sensitive information: to tilt the odds towards a breach not happening. Encryption is specifically designed to prevent unauthorized access, and as numerous studies show and real life examples, show, encryption does an excellent job of ensuring that the odds are stacked in your favor.
MD Anderson knows this:
“MD Anderson deeply regrets that this incident has occurred. The institution is enhancing its practices regarding the use of portable devices to transport patient data and is working to encrypt these devices. Encryption is a technology that scrambles each device’s data in a way that makes it more difficult for an unauthorized user to retrieve any information from the device. Additionally, MD Anderson has purchased a significant number of encrypted USB thumb drives for distribution to employees who handle sensitive data. Finally, the institution also is reinforcing employee education around our privacy policies that govern the handling of patient information and the use of portable devices to transport such data.” [abclocal.go.com]
Of course, not all encryption products are designed with the enterprise in mind. For example, it’s not unheard of to go through a 6-month planning period to set up everything before the process of encrypting devices takes place (although, admittedly, it would be an extreme example).
On the other hand, the full disk encryption solution from AlertBoot Mobile Security significantly cuts the time from planning to implementation via its innovative installation options, including the distribution of its self-diagnosing encryption installation package over the internet. One happy client finished their encryption project three months before schedule.
Related Articles and Sites: