Data Breach: Another Stolen Laptop
Organization Improperly Installed Encryption TechnologyWhile the organization said in its notification letter that it deploys "self-encrypting" hard drives, meaning the computers use a technology that prevents an unauthorized person from seeing the information on the computer, this particular laptop wasn't encrypted properly.
"Although the employee and the vRad IT department believed the laptop was secured with the encryption technology, vRad discovered that the company-required encryption was not properly configured on this particular computer due to an error in the setup process," says vRad Privacy Officer Karen Scott.
The laptop, which was stolen on Oct. 14, wasn't discovered until the following day, prompting vRad to immediately notify its IT department.
The organization hasn't disclosed how many individuals might be affected by the breach.
According to vRad, information pertaining to certain vRad patients and physicians was stored on the computer, including limited medical information for some patients and names, addresses and sensitive information such as bank account numbers, social security numbers or credit card numbers of others.
"To date, we have no evidence that any information was actually accessed," the statement explained.
After discovery of the non-encryption issue, vRad launched an audit of the employee's e-mail files and local drive, which also backed up vRad's main information system. The audit took a few weeks because of the amount of data and ways the employee worked with such data. vRad also hired a third-party vendor to assist with the project.
In the breach notification letter, vRad explains that if someone accesses the Internet using the stolen computer before it is reimaged with a new operating system, vRad will receive notice immediately and "wipe" the laptop completely and permanently.
Breach Response
After vRad discovered the breach, local law enforcement was promptly notified. vRad says it's complying with all New Hampshire and federal law requirements, including the HIPAA breach notification requirements. vRad also says it will notify the Department of Health and Human Services, as required by the federal HIPAA statute.
See Also: Forrester Top 35 Global Breaches Report: Balance Defense with Defensibility
"We are taking steps to ensure that this situation does not happen again, such as requiring dual sign-off when new laptops are put into service," Scott says. "We also deployed our IT staff immediately to verify each computer is, in fact, encrypted properly."
Affected parties were notified starting the week of Oct. 24.
vRad has also taken additional steps to help affected patients and physicians. These steps include:
- Providing information on credit report and fraud alert services;
- Advising those affected to be vigilant in monitoring accounts and credit reports for evidence of identity theft; and
- Working with LifeLock, Inc. to provide credit monitoring and alerts to affected persons, at vRad's cost.