According to csoonline.com, Watermark Retirement Communities announced a HIPAA data breach just prior to the three-day weekend. The cause of the breach? A laptop computer that was stolen from an employee’s car. Of course, this wouldn’t really be an issue if the computer’s data had been properly protected, such as with managed HIPAA encryption software like AlertBoot. The laptop in question, however, only made use of “password protection,” an observation that doesn’t sit well with Dave Lewis, the author of the article at csoonline.com.
Lewis has covered my pet peeves (read it here), so I think I’ll just point out some stuff he hasn’t covered.
Sensitive information was lost in this latest medical data breach. According to csoonline.com:
Personal information including, name, address, telephone number, email address, date of birth and social security numbers.
The inclusion of SSNs makes this a very serious breach. And, let’s not forget, the breach occurred out of a car, so it’s safe to say that Watermark was remiss in its medical data stewardship by not using encryption software: while it’s true that the use of encryption is not required under HIPAA, it’s also true that covered entities are required to protect PHI in a way that the alternative (to encryption) is as good as encryption. From hhs.gov (my emphases):
Is the use of encryption mandatory in the Security Rule?
No. The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification [Ed. – that is, encryption] is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.
There is it, straight from the horse’s mouth. In a world where encryption exists, why would you use an alternative that is equivalent to encryption? (Or something that is even better than encryption. It’s not mentioned, but I’m sure the HHS wouldn’t have any objections to using a security measure that is better than encryption).
Mulling over this last question is even more important when you consider that the use of encryption is the only way to gain safe harbor from the Breach Notification Rule, where people need to be notified of the data breach (and the HHS and media as well, if more than 500 people are affected).
Massachusetts Protection Data Laws
It’s also come to my attention that Watermark Retirement Communities has facilities in the state of Massachusetts. As I wrote last week, the Bay State has one of the most onerous encryption laws in the US.
Unlike HIPAA, Massachusetts requires that personal data be protected with encryption. It goes without saying that the state’s Attorney General will be looking into Watermark. Again, the simple use of encryption would have provided protection to the company (not to mention the to the people whose SSNs and other data were lost).
Giving the Benefit of the Doubt
One could give Watermark the benefit of the doubt. This wouldn’t be the first time that an organization with top-notch security practices and policies was found with a breach on its hands. After all, perfect security is an ideal, a goal – but not a realistic one.
On the other hand, you’ve got to consider the fact that (a) they had password-protection in place, which increases the odds that the laptop in question had undergone whatever IT policies the company had in place, (b) the timing of the announcement leaves a bit to be desired, and (c) they downplayed the risks of the data breach.
Still, assuming that the lack of encryption was really an oversight, the company may want to use something like AlertBoot to keep track of their laptops. Not only do they get a visual on the number of encrypted laptops in real time, the cloud-based management of full disk encryption allows companies that are spread around geographically to centralize their endpoint encryption.
Related Articles and Sites: