CBC News recently revealed a disturbing privacy breach that happened on March 22, when a USB memory stick, containing private information for about 7,000 employees of the Edmonton Public School Board was lost.
As a result, the school board sent letters to the affected employees, notifying them that their data may have been misused. Read more
A thumb drive containing personal data of current and past graduate medical education residents and fellows at Cooper University Hospital has recently gone missing. Lost around July 8th, the incident has been reported to the proper authorites a few days later who are now looking into the potential security breach only two weeks later.
According to hospital sources, the lost data includes Social Security numbers, addresses, and phone numbers. As it always happens in such cases, the data was not in anyway encrypted or protected.
The University later released the following statement:
Shands HealthCare has recently announced about 12,500 of their patients that their private medical data has been stolen in January, along with the laptop that contained the personal details. As it almost always happens in the case of hardware storing sensitive records, the laptop wasn’t encrypted in any way.
The stolen info contains names, addresses, medical record numbers and medical procedure codes of the patients, as well as the Social Security numbers of about 650 people. Luckily, up to know, there is no evidence of any misuse of the data, and we should keep hoping that the thief or thieves just needed the notebook to sell it or for personal use…
At least some measures have been taken: training for the employees and system-wide encryption policy to prevent such data breaches in the future. And of course, there’s protection for those affected, eligible for 12 months of free credit monitoring.
Let’s hope the new system works, as according to Gainesville.com, security breaches involving large amounts of patient data being exposed are some what of a recurring habit at Shands.
The data breach rules that become effective on September 23rd have been harshly criticized by a security firm specializing in encryption. According to the Health Information Technology for Economic and Clinical Health (HITECH) Act, US health organization using encryption will no longer be required to notify their clients of data breaches, regardless of how ineffective the encryption system is.
According to the act, only healthcare providers and plans that have implemented the HIPAA standards but fail to encrypt the sensitive data they keep on their clients will have to let individuals know their private details have been breached. Even in such a case, explains The Register, it will be up to each organization to decide if there is a real risk for those affected and only afterward issue data breach notices.
“The protection law should address everyone – including those who have already implemented encryption, since most encryption systems are point-to-point even when they say otherwise,” said Mark Bower, director of information protection solutions at Voltage Security.
In its present form, the HITECH Act provides a quick and often inefficient fix to make ammends with data security rules.
There have been quite a few cases of stolen laptops that contained private records of hundreds, thousands and even hundreds of thousands of individuals. They’re increasing number and in some cases the consequences are a pretty strong argument when it comes to convincing other companies they need to secure their endpoints. But apparently, recognizing the risk and having a contract signed compelling another company to protect your data is not enough. At least it wasn’t in the case of Agilent Technologies.
A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of said company has been recently stolen from the car of an Agilent vendor from San Francisco. According to MercuryNews.com, the theft was announced by Agilent in a letter sent to former employees. The stolen data included employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards.
In the letter, Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data – “in violation of the contracted agreement.”
“It wasn’t encrypted, which was a surprise to us,” said Agilent spokeswoman Amy Flores. She said the vendor told Agilent that an East Coast employee had brought the data-laden laptop to California for encryption, but someone broke into her car and stole the computer and her other belongings while the vehicle was parked near Fisherman’s Wharf.