US healthcare corporation Health Net kept quiet for 6 months about a lost disk drive, exposing 1.5 million of its members to identity theft. It is now being sued. The law suit, filed by Connecticut's Attorney General, Richard Blumenthal, is in regard of 466,000 members in that state and refers to HIPAA regulations. Health Net …
Lost drive? So what?
The drive was securely encrypted and data further encrypted/obfuscated to frustrate any attempts at unauthorised recovery.
They only have to worry if their procedures were so lax as to allow someone to attach a generic drive (unencrypted) and to copy the data over in the clear.
And only total amateurs would allow such a thing to happen, professionals dealing with vast amounts of sensitive information would be experts at handling such information securely.
Ad-hoc encryption (just write it into your procedures) is a piece of piss, has no real overhead and is better than nothing (just try TrueCrypt if you don't believe me).
System-wide encryption is harder but still doable and is certainly cheaper than having your ass sued off when (not "if", "when"!) you lose the data vessel.
There is no excuse for sensitive data of any kind leaving a facility in the clear other than gross incompetence/negligence.
Perhaps the USA would like some advice from the UK government on data securty?
Oh...wait a minute...
They went further
The data was only viewable in specific software..............
So would that be Excel or Access?
Could not happen in the UK
No one would have that much accountability.
Ultimately *only* a hit to the wallet makes corporations pay attention. Truecrypt anyone?
Thumbs up but only for the kicking.
Health Net said the data could only be viewed with specific software, but unfortunately that software was commonly available.
so that's Adobe Reader then.
So it is not just the UK NHS that is useless as protecting patient data
So it is not just the UK NHS that is useless as protecting patient data!
As for the suit, it is a matter of damages, has any individual actually been harmed?
Has the data been retrieved and used?
There is no excuse to not encrypt, to say certain software could be MySQL or even SQL Server both of which are available for free. There are also recovery utilities freely available that can extract and reconstruct the data.
I have done this from a single disk within a RAID array so encryption is a must.
However, it still comes down to what damage has actually been done.
The Damages today are violation of HIPPA REGs
Frankly, the loss of so much data ought to bring the corporate death prnalty. The loss was entirely preventable and this type of gross negligence is all too common.
Gut and fillet a few of these entities that are so cavalier with our private information and the rest will get in line for secure data standards.
It is a shame that there is no legal remedy that permits the dissolution of the corporation and a lifetime bar for the corporate officers and directors working in the same field, Regulatory frameworks aren't working: only Draconian measures will get the attention of the IT industry.
The need for encrypting data before it leaves the location is common knowledge to any IT jocky (note, I did not use "pro") in the industry. What all is explicitly stated in HIPAA may be unknown to a fair portion, but the general sense is quite obvious: use secure passwords, use encrypted channels of communications, encrypt portable data, etc, etc. This company obviously did not follow such common guidelines, let alone a HIPAA mandate. Also, the only user in an organization that would have need for 1.5mil records is either an IT person, or someone who needed an IT person to get it... (think upper-management or research/development)
Just plain fail.
Your data is not secure
I can still log into any server at my old employer (a hospital). The NT account had permissions on all the servers (over 150), Citrix remote gateway access and admin rights on all servers. The user name and password are most certainly not complex, single words out of the dictionary with no caps or special characters. The password also never expires and was never changed in the four years I worked there. It would commonly be viewed as a weak password. And this was not some Podunk rural hospital, we were the only level one trauma center in the area and served thousands of patients a day. Your data is most certainly NOT secure and anyone who believes it is fooling themselves. I hate to be the chicken little type but this is just one real world example. When companies only view IT as an expense and don't invest properly in their infrastructure stuff like this happens.