Medical diagnoses for 130,000 people vanish into thin air New York-based Lincoln Medical and Mental Health Center has become one of the latest medical providers to expose highly sensitive patient data after CDs containing unencrypted data sent by FedEx never made it to their destination. The breach exposed medical and psychological diagnoses and procedures for 130,495 patients, …
If you want to send sensitive documents, use United States Postal Service registered mail. Hello, clue time here! This is used for government classified documents all the time. If businesses can't be bothered with basic encryption, then at least they can send stuff securely.
for sale ad:
selling full identity info for 130495 people, found on seven disks/frisbees tossed from a fedex delivery van towards a door that they thought was only 5 meters away. The disks/frisbees apparently followed a weird trajectory in the air while flying after being tossed from said van and landed: a few under a bush, two were found embedded into a tree, shuriken style, and one was found dangling from the squirrel feeder in the large front yard (yard which fedex apparently failed to notice that it has more than 50 meters across)
Data quality is exceptional, contains names, addresses, social security numbers, medical record numbers, dates of birth and other details that are regularly snarf^H^H^H^H^H required.
contact info: root@localhost
/end fedex tongue-in-cheek ad :p
I'm not so sure that the problem is that unencrypted data were sent, rather that the unencrypted data were sent in an insecure manner. Sometimes you just can't encrypt data, paper records would be a good example, as would moving a large tape library from one building to another, when the tapes in that library aren't already encrypted. Another example may be that you have a large amount of data tapes to be destroyed and that has to be done at a secure facility.
I think that the problem here is that, if you are sending data unencrypted, you must put appropriate security measures in place. For instance, if your company policy is that unencrypted data be sent by an approved secure courier with two company employees in tow, that would probably be ok. However, if you just stick it in a jiffy bag and drop it into a post box, you need to have a serious think about what you are doing.
How do you encrypt paper files? They often need to be moved between sites because the amount of space they take up requires they are stored in a data stoarge facillity so when they are required they need to be transported to an office. You can't always move off paper records as they are often required for leagal reasons.
I wasn't referring to paper files, I was referring to data of this type (i.e. Digital information).
For paper files I would expect a secure courier of the attaché-case-cuffed-to-wrist type or a security company armoured van to be hired for large amounts of data -- obviously depending on distance between sites and the likelihood of robbery so, at the very least, you would expect sealed boxes and a site-to-site courier rather than an envelope through a sorting office.
This reminds me of the Tory claim that having lots of disconnected local networks for the public sector is safer than having a big connected one. Yet all the major leaks seem to be due to a lack of a secure transmission method that linking all government agencies on a secure network should avoid.
But of course even with a big secure network people would still insist on carrying patient data about on memory sticks and DVDs, I wouldn't sit around outside the medical records store if I were you though.
wtf?????
Straight violation of Hipaa Privacy and the little known Hipaa security regs. If I remember correctly, that's a $50k fine PER, plus up to ten years in 'club fed' *just*on the privacy part.
On the security part::-
1.2 Penalties
CEs that do not comply with the Security Rule requirements are subject to a number of penalties. Civil penalties are $100 per violation, up to $25,000 per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.
Good grief, that's a 1996 regulation!
"Other medical facilities to fess up to losing patient data in the past 24 hours..."
Companies are loosing medical data so regularly, they now have to list the losses by the day???
Can I suggest a new electric chair, with the electrodes in the genital area. Anyone involved in this gets 5 minutes free.
Ah, but axcrypt isnt "approved" you know.
What then, you ask? Winzip + password... I kid you not, for a (short) while this was classed as "encryption" for medical data in my country and these files could be sent over the internet...
I work in health IT and the current mandatory way to report activity to the govt. here is by CD.
One CD containing anonymous key + care record data, one CD containing the key + personal ID-mapping in separate registered mail parcels.
Oh and leaks. I really don't think the amount of leaks have increased very much. But I belive reporting has gotten better, and the leaks are "larger" affecting more patients at a time. Leaks occured with paper records as well, and then the information was truly _lost_ instead of just copied. One hospital I know of used to have 17 secretaries whose job it was to run around the hospital hunting for paper records checked out from archives in order to return them. Needless to say they didn't have a 100% success rate...
Now hospitals are starting to deploy data loss prevention packages (yes, starting...) so they get an idea of what's actually going on in their networks.
These packages are usually set to "logging only" or "quarantine/confirm" and not "deny". This is because there are some rare circumstances where sending data in plaintext might save a life, there are quite a few false positives, and because hospital boards listen more to irate doctors than to IT staff.
I belive this will change when we get a bloody stardard implemented for sharing these data with other health care institutions and for reporting activity to the govt. Then we _might_ be able to turn off all permissions for removable media at any PC with access to sensitive data and set the DLP-packages to deny all outbound to the internet.
....at losing medical records. Yeah.
Spot on regarding HIPPA, it's no joke to lose medical records. Between credit reporting agencies, marketing agencies sharing data, and lack of privacy laws, almost everything else about us US'ians is there for the buying, "they" could probably deduce what brand underwear I am buying. But medical records are sancrosanct.. I seriously doubt anyone will fine $50,000 per record, but they could easily be fined $several milllion, plus they are wide open for any civil suits anyone whose record was exposed cares to bring about.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
