Over four million people are affected by the theft of four desktop computers from Advocate Medical Group. The computers were not protected with medical data encryption software, which runs counter to most HIPAA experts’ recommendations. The one silver lining here for AMG is that there is still time left until compliance with the HIPAA Omnibus Final Rule (but, frankly, that hasn’t stopped HHS from handing out million-dollar HIPAA fines to covered-entities that should have known better).
Enough Information for ID Theft
According to chicagotribne.com, the computers were stolen on July 15. Burglars broke into an administrative building and stole four computers that contained names, addresses, SSNs, and dates of birth. The chicagotribne.com points out that financial information and medical records were not stolen.
However, the information that was stolen is enough to fetch some good money in the black market. The value of names and SSNs tends to vary, but such information can go as low as pennies per name – which means that the thieves could get at least $40,000 by selling the data (but probably much more. Quantity has a quality all its own, after all. Not that I make it a habit to quote despotic leaders).
The breached information goes as far back as the early 1990s.. One year of free credit monitoring is being offered to people whose information was stolen.
Desktop Computer Encryption
One of the more upsetting aspects about this story is that security, in all of its forms, was severely lacking. The computers reportedly had password-protection but most people already know that it cannot be relied on to protect data. The building itself didn’t have any physical security either. Security cameras are present but the office was “not equipped with an alarm.” It’s also apparent that the company didn’t have 24/7 security staff at the time of the burglary.
Under the circumstances, it’s almost as if the company believed that these desktop computers didn’t require meaningful security because…they’re desktop computers. You know, just like you wouldn’t use a $200 bike lock on a weathered Walmart bicycle with a tattered seat and an extremely rusty chain.
The problem is, thieves are willing to steal anything if they think they can get away with it. Desktop computers are not sexy, but they are bankable – sell it for cheap or sell it for parts. And, the data on it takes on the same form regardless of the device: laptop, desktop, netbook, tablet, smartphone, etc.
With the HHS’s Office of Civil Rights handing out million-dollar penalties for HIPAA breaches every six months or so (they can choose to be picky on who to make an example out of – there are thousands of reported data breaches each year, and growing), it’s perplexing that any covered entity or business associate is willing to take a short-sighted approach to PHI protection.
Related Articles and Sites: