We’re on the cusp of 2018, yet data breaches that smell like 2008 are still making an appearance. According to various news outlets, UNC Health Care has announced a data breach that involved approximately 24,000 patients when a computer – a desktop computer – was stolen during a break-in.
The breached data:
…includes names, addresses, phone numbers, employment status, employer names, birthdates and Social Security numbers, said UNC Health Care, adding that it does not believe any treatment, diagnosis or prescription records were kept on the computer other than diagnosis codes used for billing. [bizjournals.com]
That last part may be somewhat comforting, but SSNs, names, addresses, and birthdates… that information can be easily used for fraud, as pretty much everyone knows.
It’s hard to believe that an institution the size of UNC Health Care can still be embroiled in a data breach that involves an unencrypted desktop computer. It’s been years since HIPAA regulators showed that they mean business when it comes to data breaches involving private health information (PHI), via the issuance of fines and other penalties.
As a result, many HIPAA covered entities have gone a long way towards ensuring that they’ve at least fulfilled the minimum security requirements, which generally involves the use of full disk encryption for computers and laptops. Had the computer in question been encrypted – which it’s safe to assume it wasn’t, per the media coverage surrounding it – it would have been a non-event; tantamount to losing, say, a chair.
On the other hand, when you see that UNC Health Care is a network of hospitals, and realize that such fragmentation brings its own challenges when securing data, perhaps it’s not so surprising.
And yet, safeguarding PHI, even in such situations, is not impossible. With the proliferation of wireless and mobile internet, logistical nightmares of years past are far from insurmountable. Deploying and installing disk encryption on endpoints, even those that never come in from the field, can be done quite easily.
But, there’s a twist here. Apparently, the building from which the computer was stolen was a relatively new acquisition, which tends to bring it’s own set of problems:
A break-in at the UNC Dermatology & Skin Cancer Center in Burlington resulted in the theft of a computer …. The center – formerly known as Burlington Dermatology Center or Burlington Dermatology – is located on Vaughn Road and was acquired by UNC Health Care in 2015. [chapelboro.com]
For a lot of people, that last figure, 2015, would likely prevent them from giving UNC Health Care the benefit of the doubt on whether they were negligent regarding PHI security. Even if the acquisition had taken place in December of 2015, they had nearly two years to do something regarding the security of digital data.
It’s especially egregious when you consider that:
UNC Health Care … ensured that all remaining computers acquired from, or kept for use by Burlington Dermatology have been properly secured. UNC Health Care has also implemented process improvements to ensure that future acquisitions of physician practices include a process to properly secure legacy computers and electronic patient information. [wfmynews2.com]
The break-in occurred on October 8. The above statement was present in wfmynews2.com’s article dated December 8. They managed to secure in two months what they did not in two years? Granted, it looks like they missed the boat because they had not set a process “to ensure that future acquisitions…include a process to properly secure legacy computers”… but why didn’t they?
Based on their patchwork of hospitals, it feels like Burlington is not their first acquisition. So, one imagines that they should have had something per HIPAA’s Administrative Safeguards, where
“…a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.”
And if not, then there is the HIPAA Physical Safeguards, where
“…a covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).”
And if not, then there is the HIPAA Technical Safeguards, where
“A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.”
(Per the government’s HIPAA site).
Related Articles and Sites: