I’ve just run across a data breach notification that is a first of its kind: a data breach where the affected organization tells its clients (technically, patients) that nothing happened. It’s like the Seinfeld show of data breaches. The breach notification letter is about nothing. Absolutely nothing. Yet, there is something there.
All kidding aside, this situation is a novel reason for deploying HIPAA encryption software in medical environments.
Break-in But No Disturbance
According to ktvz.com, Mosaic Medical in Oregon has notified 2,207 patients of a “possible” breach of medical information. In January of this year, Mosaic discovered traces of a break-in at their Health Information Technology department. Indeed, the organization said:
There was nothing stolen from the office, and there was no breach of our electronic medical records system. There is no evidence that anything in the office was disturbed.
Why the breach notification letter? The problem lies with their non-digital (i.e., paper) documents:
we cannot say with certainty that no medical records were accessed. The personal information that was possibly accessed was on paper documents within the office and included health information, medical insurance information, phone number, and e-mail addresses.
Of course, there is always the possibility that these medical records were not accessed – it could be that the guy doing the B&E got cold feet as he (or she or they) was crossing the threshold from vandalism to outright burglary.
Another Reason Why You’re Better Off With Encryption Than Without
The above highlights an interesting situation. Forget for a moment that a medical office tends to have paper documents with sensitive data on them (for one, incoming patients have to fill forms). Let’s imagine a situation where all data is computerized and that “to suffer from a data breach” means an unauthorized third party accessed medical data.
Under the current HIPAA/HITECH regulations, covered entities and their business associates are to assume that a potential data breach situation (“potential” because it’s not known whether a data breach occurred or not. For instance, if a laptop is lost) will actually result in a data breach, and thus is a data breach, unless it can be proven otherwise.
In this light, one can easily see why the use of disk encryption software provides safe harbor from HIPAA/HITECH when dealing with lost or stolen laptops: knowing that the odds of brute-force hacking into an encrypted laptop are minimal, one can assume that the contents of the device are safe if encrypted. There are, of course, caveats: if the password was written to a post-it and stuck to the laptop, or if the person who absconded with the laptop is the user (think of ex-employees, for example).
With Mosaic above, even if they operated a fully digital office without a trace of paper, they’d still have to notify their 2,000-odd patients of a potential data breach if they don’t use computer encryption software. The reason being that it’s not really possible to figure out whether a computer has been accessed or not: sure, you can set up a system to log all such all instances. At the same time, erasing such logs and cleaning up any digital traces is not exactly rocket science.