Leading Edge Physiotherapy, a Canadian medical entity, was burglarized on February 3 of this year. Among the items that were stolen was an external hard disk drive that was not protected with data encryption software. The use of encryption like AlertBoot FDE would have helped protect Leading Edge’s patients. Informing the patients of the data breach ASAP – the public notice went out on September 7 – would have helped protect them as well (although not as well as using encryption).
Records from 2003 – 2008 Lost
While it hasn’t been revealed how many people were affected by this data breach, we do know that stolen hard drive contained the scanned files of patients who were discharged between 2003 and 2008. Names, addresses, dates of birth, treatment, diagnoses, and other physiotherapy records were stored on the hard disk. And while encryption software had not been used to protect the hard drive, it was placed in a locked safe for safekeeping.
Physically locking digital data is one way of preventing a data breach. However, as clearly seen from this particular story, it’s not an optimal choice. Boosting a safe, especially one that is marketed for your average office, is not very hard. Any guy with a hammer is able to do it. Or a guy could use a Dremel rotary tool, which makes about as much noise as a hammer but is easier on the wrists (note: I’ve never cracked open a safe but I’ve had a go at a bike lock when I lost my keys).
Contrast this with managed strong encryption from AlertBoot FDE. The AES-256 encryption is so advanced that the US government has problems accessing it; indeed, they use secret court orders and other man-in-the-middle attacks, in addition to trying brute force methods, to get around their problems. Such efforts require PhDs and millions of dollars, resources that your average office burglar doesn’t have access to.
Knowing this, what’s the better way to secure data, a safe or encryption?
Sometimes Legislation is the Answer
Bureaucracy, it’s been said, can sap the life out of businesses. On the other hand, there is something to be said about well-written legislation.
According to the site stalbertgazette.com, Leading Edge Physiotherapy (LEP) put an advertisement announcing the burglary on page 42 of the Gazette. As noted above, the notice was sent out seven months after the event took place. This does not sound like the actions of a concerned organization. On the other hand, you can’t really tell, can you? LEP could have a perfectly valid reason for taking so long to warn its patients. But then, is a warning seven months after the fact of any use?
This is why the US’s HIPAA data breach notification rules – stating that a covered entity must contact patients within 60 calendar days of the breach – is so useful. Honestly, if you haven’t figured out what’s going on in 60 days, chances are you won’t know, and it’s time to just get the message out.
Related Articles and Sites: