Patients and oncologists at the Cancer Care Group (CCG, a private physician practice based out of Indianapolis, Indiana) are being informed that the theft of a company laptop has resulted in a data breach. It is the fourth largest data breach of 2012, and it could have been prevented with the judicious use of data encryption like AlertBoot.
Locked Car at the Center of Breach
According to various sources, the breach occurred on July 19, when a laptop computer was stolen from an employee’s car. The breach was not instigated by the theft of the laptop per se; rather, it was the “computer server backup media” that was in the laptop that held the data.
I have no idea what “computer server backup media” means, but I’m assuming that — based on the current state of technology and the fact that it was a laptop — either a DVD or a USB thumbdrive with data is at the heart of this latest patient health information security breach.
The breach affects nearly 55,000 individuals, including Cancer Care Group’s own employees. Compromised information includes “names, addresses, dates of birth, and Social Security numbers for both parties as well as medical and insurance information for patients and beneficiary, employment, or financial information for employees,” according to ehrintelligence.com.
Over at healthcareitnews.com, it is being pointed out that this breach is the fourth largest of 2012:
It stands behind similar incidents at Utah Department of Health, involving the PHI of 780,000 individuals; Emory Healthcare, involving the PHI of an estimated 315,000 individuals; and South Carolina Department of Health, involving PHI of 228,000 individuals.
Cancer Care Group’s own data mismanagement looks pale and paltry in comparison. On the other hand, it’s 55,000 people. Nothing paltry about that. Especially if you consider that the US Department of Health and Human Services requires that cases involving more than 500 patients be publicized in their “Wall of Shame.”
Reviewing Security Measures, Some Already in Progress
A statement by CCG notes that,
“Cancer Care Group is encrypting all mobile media, updating policies and procedures, upgrading data storage technology, and re-educating our workforce on safety with mobile media,” notes spokesman Clyde Lee, “Some of these steps already were underway at the time this incident occurred.”[ehrintelligence.com]
There is no evidence to believe that the backup media were the target of the theft or that any of the information on the media has been accessed or used for fraudulent purposes[fiercehealthit.com]
As usual, I have problems with such statements. The fact that there is no evidence that the backup media was targeted doesn’t mean that it didn’t or won’t happen. The example I give out: if a thief’s target is a handbag (in the fashion world, some of them can fetch unheard-of prices), does it mean that he won’t look inside it? Maybe take the credit cards and wad of cash found in it?
Why would it be different for computers and other digital media? Heck, a test by Symantec showed that 89% of people snooped on the contents of a found smartphone. Are we supposed to believe that it would be otherwise for a laptop computer?
Of course, you can’t blame CCG too harshly; they claim that they were already in the process of securing data when the incident took place. And, chances are that such problems will still occur once in a blue moon after their project is finished.
The above case not only illustrates the need to use proper data security tools, but that they be easy and fast to deploy. If a solution takes, say, one year from purchase to 100% implementation, you probably have the wrong solution, especially if analogous solutions offering the same functionality can complete the job in less than half that time.
Related Articles and Sites: