Stanford Hospital is warning approximately 2,500 patients that their personally health information may be at risk when a computer was stolen from a doctor’s office between July 15 and July 16. The computer had security in the form of (1) password protection and (2) laptop tracking software. Apparently, laptop encryption software like AlertBoot was not used.
Names, Some SSNs, and Other Info
The breached data includes “patient names, location of service and medical record numbers. Some records may include details such as treatment histories, birth dates or ages and social security numbers,” according to patch.com.
The computer is confirmed to have used password protection (which, despite the name, doesn’t quite protect data) and ” contained software that should indicate whether it was connected to the Internet and show its location, but so far it has not been detected.”
The problem with the latter is that it’s not really a data protection program; rather, it’s an asset recovery software, and one that only works when an internet connection is present. Why do I call it an asset recovery program? Because it stops at tracking the stolen computer; it can’t do anything about preventing a thief from accessing the computer, copying the data, slaving the disk to another computer, etc.
Encryption software, on the other hand, works by preventing unauthorized access, and is not conditional on the presence of an internet connection, or anything else, for that matter. Preventing access is the default mode.
You know, Stanford is one of the premier universities in the US. For an institution that produces a bunch of geniuses, instances like the above imply it is being run by anything but. I mean, sure, you could excuse a complex and enormous entity like Stanford for not being able to coordinate the protection of all of their computers.
But then, how did they manage to install the computer tracking software and turn on password-protection? If they were able to do that, they certainly had the resources to ensure the computer was encrypted as well.
More depressing is that this is not the first time Stanford has been caught in a medical data breach. Nearly two years ago, the Lucile Salter Packard Children’s Hospital at Stanford University was fined $250,000 for not promptly reporting a data breach to the state of California. Granted, the penalty was handed because Stanford U. was slow in reporting the breach….but honestly, wouldn’t one conclude that the state of California appears to be less interested in receiving prompt reports than in not receiving any reports because adequate protection was in place?
It’s been a while since I’ve gone over individual state laws, but the last time I checked, California was one of those states where breach reports don’t need to be filed if encryption was used to protect data (this is true of HIPAA/HITECH as well).
Inquiring minds wonder why Stanford still tolerates the use of unencrypted devices that hold PHI.
Related Articles and Sites: