Big Breach Highlights Encryption's ValueIncidents Involving Unencrypted Devices Still Common
The theft of two unencrypted laptop computers from an administrative office of a California healthcare provider has potentially exposed information on 729,000 patients.
The laptops were stolen on Oct. 12 from Alhambra, Calif.-based AHMC Healthcare Inc., which operates six hospitals in the state. Information on the computers included patient names; Medicare or insurance identification numbers; diagnosis and procedure codes; and payment data, according to an online statement from the organization.
If the total number of individuals is confirmed by federal officials, this would be the second largest health data breach reported so far this year. The biggest confirmed breach for 2013 on the Department of Health and Human Services' "wall of shame" website also involves the theft of unencrypted computers. Four desktop devices were stolen in July from Advocate Medical Group, a physician group practice in Chicago, affecting about 4 million individuals.
As of Oct. 23, the HHS tally included 682 major breaches affecting a total of 26.9 million individuals since September 2009, when the HIPAA breach notification rule went into effect. The loss or theft of unencrypted computers, storage media and other devices is the No. 1 cause of breaches on the tally.
"The primary lesson to be learned is that the cost to prevent mobile device data breaches is far less than the cost of breach mitigation," says independent security consultant Brian Evans. "Mobile device encryption is a low cost/high impact solution with the goal of providing protection for confidential information.
So why do so many organizations still fail to encrypt? "In my experience, the primary drivers preventing encryption are competing priorities and a lack of leadership and staffing resources to make it happen" Evans says. "Encryption should not be too hard for healthcare providers since it is already 'baked' into most mobile devices and operating systems today."
AHMC says that although the campus where the administrative office that was the site of the theft is located is gated and patrolled by security, someone still broke into a video-monitored sixth floor office and removed the computers. The organization says it notified local police as soon as the theft was discovered on Oct. 14. After reviewing the video surveillance, police are reportedly searching for a homeless man from the area, who they allege stole the computers, according to local news media reports.
The California provider organization says it had recently engaged a third-party auditing company to perform a security risk assessment and was working through its recommendations. In the wake of the theft, AHMC says it will be expediting a policy of encrypting all laptops. "In taking these actions, AHMC Healthcare is strengthening the high standards it maintains for safeguarding protected health information," its statement notes.
AHMC did not respond to a request for comment.
A number of major breaches, including the Advocate health breach and others involving stolen devices, have resulted in class action lawsuits. The lawsuit tied to the Advocate Health breach focuses on the organization's alleged failure to safeguard and secure data in violation of the Fair Credit Reporting Act. It alleges the organization placed affected patients at risk of identity theft and fraud.
Meanwhile, a California appellate court recently dismissed a class action suit against the Board of Regents of the University of California stemming from a breach involving a 2011 burglary at the home of a UCLA Faculty Group Practice physician. An unencrypted external hard drive stolen in the burglary contained data on more than 16,000 patients treated at UCLA facilities. In dismissing the suit, which alleged UCLA failed to have reasonable controls in place to prevent the disclosure of private medical information, the court noted there was no confirmation that the affected patients' data was actually inappropriately accessed.