If an organization announces a data breach, but does not reveal whether it used data security software – like AlertBoot’s managed HIPAA laptop encryption [ http://www.alertboot.com/ ; HIPAA disk encryption ] solution – is there a way to tell whether it was indeed using it? You can if you’re affected by HIPAA.
Georgia Department of Behavioral Health and Developmental Disabilities
According to phiprivacy.net, the Georgia Department of Behavioral Health and Developmental Disabilities (DBHDD) has alerted nearly 3,400 people that their information was breached when an employee of the department lost his laptop at a conference. Well, “lost” isn’t the right word. It was stolen. From the employee’s car.
Directly as a result of the theft, DBHDD has sent letters to the affected patients and followed other steps mandated by HHS (my emphasis):
Because the laptop contains information of more than 500 individuals, the Health Insurance Portability and Accountability Act (HIPAA) requires that DBHDD notify the media about the incident. We have followed the reporting procedures mandated by the U.S. Department of Health and Human Services. The media notice, letter and this website provide information on how to contact DBHDD and federally-approved companies that offer free credit reports and free fraud alerts on those credit reports.
It’s not mentioned whether encryption software [http://www.alertboot.com/disk_encryption/mobile_security_byod_mdm.aspx ; cloud managed encryption ] was used, although the notice does acknowledge that “there are security measures in place on the laptop which will wipe the data and prevent access to the PHI if an unauthorized user attempts to access the internet.”
Now, this could either refer to (a) a disk encryption software [http://www.alertboot.com/disk_encryption/disk_encryption_product_tour.aspx ; disk encryption ] whose key can be erased from a remote source, like AlertBoot or (b) something that’s not an encryption solution but manages to erase the information nonetheless.
If I were a betting man – and I am – I would say that the notice is referring to the latter for the following reasons.
HIPAA, GA Data Breach Notification Law, and Encryption
A strong indication that encryption was not used lies in the department’s actions as detailed in the above quoted blurb. Under HIPAA, the use of strong encryption provides safe harbor from all those things that HHS mandates.
Which is not a bad deal, seeing how going public with a data breach that has a real possibility of identity theft and other crimes leads to lawsuits; appropriating funds for rectifying the mess, including contacting breach victims and setting up answering services; the loss of face in the community at large as well as nationwide; and triggering an investigation by the HHS, which could lead to monetary penalties (up to $1.5 million per violation), annual security reports to the HHS for up to 20 years, and a full-blown inquiry into the policies and practices of the breached organization. The latter can take years to complete.
In short, if you’ve used encryption, you wouldn’t be going through the Breach Notification Rule’s mandates. If you are, the odds are extremely good that you didn’t use encryption.
In addition, Georgia is one of those states where the state’s own data breach notification laws provide safe harbor for encrypted data. If the DBHDD breach had taken place in New York, one of the few states where there is no such protection, you may have to still have to report the breach (I’m not sure whether the law provides an out for data governed by HIPAA), and would provide an alternate reason for announcing the theft of a laptop with PHI.
Otherwise, there’s no real reason to do so because legally you’re not required to and because the protection afforded by encryption is real (and not just some theoretical concept on a professor’s whiteboard), so you’re not doing wrong by your patients.