I don’t think I’ve ever come across a story where a laptop stolen from a car turns out to be protected according to HIPAA standards. Well, there’s always a first time for everything: according to thestate.com, laptop encryption was used on a stolen computer that belonged to the South Carolina Department of Mental Health. And while the department has earned its Teflon shield, the same cannot be said of the employee.
Parked, Unlocked Car
If there was ever a reason to use encryption software, the following story is it. An employee with the above-mentioned department lost her state-issued laptop, cellular phone, keys, and a Wi-Fi hotspot device, among other things. And while she’s a victim of theft, she cannot avoid blame, either.
For you see, the items were stolen from a car. A car that was apparently parked unlocked. Regardless of how safe the neighborhood, doing so is just asking for trouble.
Of course, it’s cases like this that makes the benefits of encryption salient: despite knowing that leaving your car parked and unlocked is a bad idea, people do it all the time. The fact that there are valuables in it does not matter, apparently.
In light of such actions, does it surprise anyone that employee education on data security procedures and best practices doesn’t really work?
Chicken and Egg
There is room for debate here, though: Couldn’t it be that the employee had acted a bit irresponsibly knowing that the laptop was encrypted? You know, like how people started speeding up once seat belts in cars became mandatory? And then once again when airbags were mandatory as well?
My guess is that the answer is “no” in this particular circumstance, since it wasn’t only the laptop that was stolen. A bunch of other stuff, presumably personal in nature, was stolen as well – and my guess is that these were not protected as well as the laptop had been.
Why is This News?
You got me. Under HIPAA, the conditions are met for safe harbor from the Breach Notification Rule. Furthermore, South Carolina is one of those states where the use of encryption provides safe harbor from state breach notification laws. (And let’s not forget that encryption provides real protection. It’s not just some requirement you cross off a list to “prove” that you’re meeting some abstract requirement that’s part of some bureaucracy).
My personal guess is that an intrepid reporter found a case filed with the police department, and got wind of the data breach that way. Had it not been for the theft of personal items, chances are that the public would not be aware of such a happening.
Related Articles and Sites: