According to phiprivacy.net, Seton Healthcare Family has announced a data breach that affected 5,500 people when a laptop computer was stolen. The computer was not protected with HIPAA compliant encryption due to a “glitch during installation.” The breach-tracking site notes that this is not the first time Seton has been involved in a data breach (it lists four past breaches since 2006).
Laptop Stolen from Clinic
Seton reported the laptop as stolen on October 4, from the Seton McCarthy Clinic. The breach extends to other clinics: patients that visited the Seton Topfer and Seton Kozmetsky community health centers were also affected, as well as people enrolled in the Seton Total Health Partners program.
Information on the stolen computer includes names, addresses, phone numbers, dates of birth, Seton medical numbers, patient account numbers, SSNs (although not all patient are affected), diagnoses, immunization information, and insurance information.
As noted earlier, this is not Seton’s first data breach. The four breaches listed at phiprivacy.net include:
- 2006 – 14 patients affected when a laptop was stolen from an employee’s home.
- 2007 – 2,500 affected when two laptops were stolen from an employee’s car.
- 2007 – 7,800 affected when a laptop was stolen from their information services department in North Austin.
- 2012 – 555 affected when a Seton business associate mailed information to the wrong people.
Overall, it looks like Seton has done a great job in controlling data breaches, seeing how this is their first reported data breach in six years (in my personal opinion, if a BA causes a data breach, it’s the BA’s fault, even if the covered entity is legally on the hook).
Still, one wonders: could Seton not have prevented this month’s data breach? Yes, but it would have required the right tools.
Checks, Balances, and Auditing
How can you verify that a machine is really protected with the encryption software that you just installed? The surefire method is to take the hard disk out of the computer, slave it to another computer, and see if you can read the slaved disk’s contents. If you find that you can’t access it because it’s not a formatted disk, you know things are working A-OK (because encryption scrambles data, it looks like random, unformatted data when connected to any computer).
Of course, doing this for every single computer is impractical if you have many computers in the workplace. One easy way to get around physically slaving disks is to run a report – assuming such a report is available – but you run into another problem: how can you tell which computers are not encrypted? Reports generally show you which ones are, or make it difficult to see.
Knowing such problems are typical, AlertBoot FDE has incorporated a dashboard that lists such information for both computers as well as devices such as smartphones and tablets (it only makes sense, since the cloud-based management allows the control of combined FDE and MDM). A user can easily see whether there are any unprotected devices. Furthermore, this information gets updated continuously, allowing an administrator to take action ASAP, as opposed to waiting until the next audit to figure that something went wrong.
If Seton had something similar to AlertBoot FDE, there’s a good chance that they could have maintained their unbroken streak of HIPAA breaches (or rather, lack of HIPAA breaches).
Related Articles and Sites: