HIPAA Breach: Burglaries Happen.

There are brazen thieves and then there is this guy: video footage from a security camera obtained by krgv.com shows a middle-aged man leisurely strolling back to his stolen truck with a stolen computer under his arm.  It’s because of instances like these that the use of HIPAA-grade disk encryption like AlertBoot’s managed encryption services are strongly encouraged by the Department of Health and Human Services.

See Dick NOT Run

Sunglo Home Health Services, in Harlingen, Texas, has gone public with a data breach.  According to news reports, a burglar stole a van from the organization in the morning.  Later that night, the man drove back to the scene of the crime and stole what appears to be a desktop computer.

Apparently, this man knew what he was doing because the surveillance footage doesn’t show him hurrying at all.  He unhurriedly gets off the van, slowly walks in the direction of the offices, and is later shown walking back to the van with a computer monitor (or possibly one of those all-in-one computers).  He doesn’t throw his ill-gotten gains into the vehicle and peel off.  Oh, no.  He has the gait of a person who’s supposed to be there.  Nothing to watch here, folks.  Just moving a computer in the middle of the night.

Desktop Computer Encryption not Used

Sunglo has notified thousands of patients that they are at risk.  Considering the circumstances – admitting to a breach would put Sunglo in trouble with the federal and local governments, not to mention their own clients (which, admittedly, is not Sunglo’s fault.  Let’s not blame the victim here) – it looks like the stolen computer did not use data encryption:  HIPAA/HITECH provides safe harbor if encrypted patient data is lost or stolen.

Furthermore, the state of Texas also provides safe harbor in those instances where encrypted sensitive data is lost or stolen.

Plus, lets not forget that the US is known as a lawsuit-happy place for a reason.

In other words, there a lot of motivation to taking advantage of any existing safe harbor provisions.  That Sunglo has not strongly indicates that they couldn’t, not that they wouldn’t.

Reactive vs. Proactive Security

This is not to say that Sunglo didn’t have any data security provisions in place.  According to the krgv.com report, their IT director is continuously checking to see if the computer comes on-line.  In other words, they have some kind of internet-based tracking application installed on the stolen computer.  And that is great and all, but it doesn’t do as much as other security tools could.  Online tracking may eventually lead to the thief – if one’s lucky.  But it cannot stop the thief from accessing the computer, copying the data, and uploading it to a hacker board before the cops show up.

And even if the computer is retrieved, the incident counts as a data breach – so, again, the advantages of using a proactive data security system like encryption is easily confirmed.

Related Articles and Sites:

Comments (0)

Let us know what you think