As 2014 winds down, I was really under the belief that data breaches caused by the loss or theft of unencrypted laptops were really down – I hadn’t come across too many stories involving them over the past year, relatively speaking. I had attributed this turn of events to possibly the increased use of disk encryption software like AlertBoot’s managed laptop encryption services. Our company had seen a phenomenal uptick of new clients over the past 12 months.
And then, I return from my Christmas festivities to find 3 stories at phiprivacy.net and companion site databreaches.net involving unencrypted laptops, making me question if it was all just an illusion.
Physicians Skin & Weight Centers, Inc
An employee’s car was broken into, and a laptop computer and external hard drive were stolen. The breached data included:
Images taken during the course of their treatment with their first and/or last name; and some patients’ name on a company invoice. Also, a limited number of patients had banking information including full routing numbers, account numbers, and/or credit card numbers; and/or a copy of our financing application detailing some patients’ social security number, date of birth, mailing address, email address, income, rent payment, and employer’s name potentially exposed.
We can only assume that, based on the reference to “patients,” “treatment,” and the name of the organization, that Physicians Skin & Weight Centers is a HIPAA covered entity. Why the employee’s laptop was not protected with HIPAA-grade encryption, then, is something of a mystery.
It certainly would have saved them a lot of grief, seeing how there are legal protections are afforded if encryption was used.
In what reads like a personal letter to clients, a CPA admits to losing his clients’ data and triggering a data breach:
It is with a heavy heart that I bring you this news. On Friday December 19, 2014, my vehicle was broken into. My briefcase, laptop (password protected) and a flash drive containing confidential client information was stolen. The car was locked and parked on a well-lit commercial area in front of a busy restaurant.
While it’s nice that the machine was password-protected, the fact that a data breach notification letter is being sent is proof that password protection is worth nearly squat when it comes to data security. I make it a point to point out how easy it is to go around so-called “protection” each year, and I’ve already posted a number of articles throughout 2014 to that effect.
Still, perhaps the CPA ought to be given a break. It sounds like his business is a sole proprietorship, and if multi-billion dollar companies cannot do it right, how is one person, whose training is in accounting and finance, supposed to knowledgably oversee all IT aspects affecting his business? For all we know, he honestly thinks that password protection is the same as encryption. They both take passwords, right?
While parked at a coffee shop in Roseville, Minnesota, someone smashed open the backseat window of our consultant’s car. Among other things in the car, our consultant’s laptop was stolen.
And what was on that laptop?
personal information [that] included names, phone numbers, diagnostic codes, DJO products received and dates the products were ordered or shipped, surgery dates, health insurer names (but not policy numbers), clinic names, doctors names and addresses, and doctors’ phone numbers… plus social security numbers [in certain cases].
Again, based on the information above, it’s hard not to assume we’re dealing with another HIPAA covered-entity. Furthermore, seeing how the consultant was at the heart of this data breach, we’re dealing with what the HIPAA regulations call a “business associate” (BA), outside contractors that covered-entities hire to do work they can’t (or won’t) do. Industry surveys show that BAs tend to account for at least a third of all HIPAA data breaches.
Which is why BAs are now held to pretty much the same data security standards as covered entities when it comes to protecting data. Plus, covered entities are held accountable for it, too.
Cars are Not Safes
There’s a reason why banks use armored cars to transport bonds, cash, and other valuables from point A to point B: your average Toyota is not break-proof. If someone’s walking by and he fancies your GPS unit, radio, child seat, what have you, there is very little stopping him (or her) from breaking into your car. Hell, it’s easier to get into your old high school locker.
I mean, there are significant portions made of glass when it comes to a car.
Related Articles and Sites: