One of the worst US states in which to have a data breach, especially a medical data breach, is probably California: in addition to federal HIPAA regulations, California has shown itself to be quite aggressive when dealing with medical entities that experience a data breach. Indeed, there’s some (valid) criticism that the CA Dept. of Public Health is a bit more heavy-handed than its federal counterpart. So, it always catches me by surprise when I see a California health organization filing a data breach notification and admitting to the lack of disk encryption on its stolen laptops.
Stolen EKG Laptop
Valley Community Healthcare (VCH), according to databreaches.net, has filed a breach notification letter with the Office of the Attorney General (California). In the letter, the organization divulges that a laptop computer that was used in conjunction with an EKG machine was stolen. This was discovered on February 24.
The machine contained names and dates of birth but no SSNs, driver’s license numbers, ID card numbers, or financial data (that last one, if it were present, would be quite surprising; why would you load financial details on an EKG machine?). The machine was “secured” with password-protection but did not make use of medical laptop data encryption solutions like AlertBoot.
The importance of encrypting laptops that contain sensitive data can hardly be overstated. This is especially true when it comes to medical data because the government, at the state and federal level, take data breaches very seriously: increasing financial penalties as well as other forms of censure (biannual reports on the state of IT security; unannounced audits; etc) are evidence to the greater importance placed on personal medical data security.
Additional Security Measures
Possibly as a reflection of this, VCH has also promised to “additional security measures, including IT encryption and storage of medical databases, and securing computers so that they cannot be removed.”
While such an action is to be welcomed, the truth is that it’s quite disappointing. Why do it after you’ve experienced a data breach? Why not do it before it happens? It’s like promising to always wear a seatbelt after you’ve been in a near fatal accident.
Related Articles and Sites: