Unencrypted laptop stolen, may have contained 400,000 medical records

According to this article from Career Info Security, an unencrypted laptop containing data on up to 400,000 prisoners was stolen from the California Correctional Health Care Services. Any data contained on the unencrypted drive is available to whoever currently has the laptop, including the information on the prisoners who received medical care between 1996 and 2014. According to the article, the data on the laptop included names, addresses, Social Security numbers and medical records.  Some notable things to take from the article are:

  • This is a laptop that knowingly contained sensitive information (PII, ePHI) and was the property of a government official.  This isn’t the place to debate the term ‘Addressable’ as it pertains to the encryption requirements under HIPAA HITECH but the simple fact is that good, strong encrypt can be free and easy with tools like VeraCrypt.
  • According to the article, 2 of the 5 top breaches on the HHS ‘2016 Wall of Shame’ (40%) were due to stolen laptops with unencrypted hard drives, exposing more than 600,000 records.
  • Kirk Nahara, a privacy attorney, was quoted  “…[the article is] a good reminder on laptop encryption, as well as a reminder to make sure that people control [what] data that is on a laptop. I always want to know in these situations why the data was on a laptop in the first place.”.  I understand the concept of knowing what data was [intentionally] on the laptop in the first place but the reality is that, if the laptop has any access to sensitive data (like ePHI, PII, PCI, etc.), why take the risk?  Even if no data is intentionally left on it in the form of documents, spreadsheets, etc., there are cached credentials, temporary files and the possibility that the human operating it may accidentally or inadvertently save sensitive information locally (is the default save to location still Documents or My Documents?).  Why risk it?
  • Stephen Wu, another privacy attorney, was quoted “…a data minimization approach could’ve helped protect that data – for instance by having the laptop as a client to access data as needed through the cloud.”.  A data minimization approach may have helped but it would not eliminate cached credentials, temporary files or inadvertently or accidentally saved files.  Regarding storing the files in ‘the cloud’, how secure is the network connection being used to access the cloud?  Are they connecting only from the office or are they working from the free wifi at the local coffee shop?

Misc / Erratta

Leave a Reply