Penn Medicine Rittenhouse has contacted approximately 600 people, alerting them of a data breach. It’s one of those instances where advanced IT couldn’t have really helped (paper documents were stolen), but it does lend to the following question: are we to really believe that laptop thefts from medical establishments are for the hardware and not the patient data contained within?
Receipts Stolen, Most Recovered on Grounds
Someone broke into Penn Medicine Rittenhouse’s premises last month and stole receipts that contained information on patients. Thankfully, the information found on these receipts were truncated (and, especially important, sensitive information wasn’t on them at all). According to philly.com:
“The receipts did not include social security numbers, diagnoses, insurance numbers or full credit card numbers. They did show varying information, including combinations of patient name, date of birth and the last four digits of credit card numbers.”
Of course, names and dates of birth can be used to perpetrate fraud as well; however, a bit more effort is required to do so, and chances are only that holding basic information will lead criminals to consider seeking other victims whose sensitive information is easily accessible. Possibly, this is what the particular thief that burgled Penn Medicine Rittenhouse decided as well. Hence the discarded receipts on hospital grounds: once he saw that easily monetized information (such as SSNs) was missing, he just dumped the whole batch.
Hospital Thefts Revolving Around Data
Perhaps it’s not surprising that such data breaches, where paper documents are stolen, are increasing. After all, we’re living in the Information Age, and turning data into cash – regardless of what form that data takes – has been a viable business for a while. (Perhaps, a reason that should be factored in its growth is that securing paper documents remains in the information Dark Ages – we still use the same technology we used in the 50’s and earlier – whereas digital data is becoming easier to secure at a fraction of the complexity and price. Also, a lot more focus is spent of protecting digital data, meaning physical data is falling to the wayside).
Consider, too, that so-called “insider attacks,” where people who are routinely given access to sensitive data as part of their employment, are also growing as data breach vectors.
Which makes me wonder: what percentage of laptops, and other computer hardware that store information, are stolen for the information stored in them? When you read of HIPAA data breaches revolving around stolen hardware, the breach notification letter always states something along the lines of “we believe that the theft was motivated by the hardware.” That is, the thieves were looking to make a quick buck by reselling the laptop ASAP.
Now, this makes sense if the laptop was stolen from an unmarked car. But what if it was stolen from a clinic or general hospital or other medical facility? Or an ambulance? Or the house of a person who is well-known in the neighborhood for being a neurosurgeon? Are we really to believe that obtaining patient information is to be factored as a zero behind the theft’s motivation? And so the risk of a patient’s data being used for fraud is also very low?
In an era where more and more PHI data breaches are being directly attributed to the theft of patient data, and not as an indirect consequence of an alternate criminal intent, believing that the theft of a laptop was for the hardware is an untenable position.
Thankfully, updated HIPAA regulations make such beliefs a moot point: under the final rules, HIPAA covered entities are instructed to assume that the loss of a laptop is tantamount to a PHI data breach, unless it can be proved that the risk is provably low. (For example, because laptop encryption was used to secure the endpoint device).
Related Articles and Sites: