The UCLA Health System notified 16,288 patients that an external hard drive with their first and last names, birth dates, medical record numbers, addresses and medical record information was stolen from the home of one of its employees.
Unfortunately, it did no good that the data was encrypted; apparently the password needed to unencrypt the data was left on a desk next to the hard drive and that piece of paper “cannot be located,” according to UCLA Public Notice.
Sutter Physicians Services and Sutter Medical Foundation, two affiliates of the Sutter Health network, also announced that a desktop computer containing unencrypted but password-protected data on 3.3 million patients was taken from its administrative offices.
The information in the local database included names, addresses, dates of birth, phone numbers, e-mail addresses, medical record numbers and patients' health insurance plans. An additional 943,000 patient records in the database included the above data plus descriptions of medical diagnoses and/or procedures.
Is the healthcare industry more negligent than other industries when it comes to keeping personal data on its clients safe? One might think so after reading these kinds of stories almost weekly. Regrettably, however, this is not the case: It happens all the time in every industry.
Every expert will spout the same cliché, "It’s not if your company data will be breached, but when." True enough. But maintaining a closer watch on the actual devices that hold the data should be the low-hanging fruit.
Keeping the physical container safe requires more than policies issued from IT or the CSO. If such policies are to have teeth they require the full backing of other department heads.
Employees need to know if they ignore a company policy on security they will answer for it. Of course, as any HR exec can tell you, it must be a widely distributed, written policy on the books for a company to be able to reprimand the offending employee.
Having said that, I should add that many companies encourage their employees to take work home but don’t develop a serious strategy about keeping that data secure. So then who's the offender?
No matter how the healthcare officials at Sutter and UCLA Health System might spin it, these incidents could well be more than druggies looking to sell anything for some quick cash. They may have been (and, chances are, were) targeted thefts with a sinister ulterior motive. Why else is it that the piece of paper near the hard drive that contained the password to unencrypt data “cannot be located.” Was the thief just tidying up?
There are no foolproof ways to keep devices and the data they hold secure. But simple things such as a cable lock and key anchored to the desk might help in some instances. Some allow users to attach the monitor as well. Users also should use different passwords for different applications. Plus, there are a number of effective tracking devices/software programs on the market that can locate a stolen or missing laptop once it's turned on.
Finally, if you want to read about a really outrageous lapse in security take a look at Wayne Rash’s blog, Stupid Admin Tricks this week on our site.