BreachExchange mailing list archives
Big Breach Highlights Encryption's Value
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 25 Oct 2013 23:13:48 -0600
http://www.databreachtoday.com/big-breach-highlights-encryptions-value-a-6168 The theft of two unencrypted laptop computers from an administrative office of a California healthcare provider has potentially exposed information on 729,000 patients. The laptops were stolen on Oct. 12 from Alhambra, Calif.-basedAMHC Healthcare Inc., which operates six hospitals in the state. Information on the computers included patient names; Medicare or insurance identification numbers; diagnosis and procedure codes; and payment data, according to an online statement from the organization. "The primary lesson to be learned is that the cost to prevent mobile device data breaches is far less than the cost of breach mitigation," says independent security consultant Brian Evans. "Mobile device encryption is a low cost/high impact solution with the goal of providing protection for confidential information.If the total number of individuals is confirmed by federal officials, this would be the second largest health databreach reported so far this year. The biggest confirmed breach for 2013 on the Department of Health and Human Services' "wall of shame" website also involves the theft of unencrypted computers. Four desktop devices were stolen in July from Advocate Medical Group, a physician group practice in Chicago, affecting about 4 million individuals. As of Oct. 23, the HHS tally included 682 major breaches affecting a total of 26.9 million individuals since September 2009, when the HIPAA breach notification rule went into effect. The loss or theft of unencrypted computers, storage media and other devices is the No. 1 cause of breaches on the tally. So why do so many organizations still fail to encrypt? "In my experience, the primary drivers preventing encryption are competing priorities and a lack of leadership and staffing resources to make it happen" Evans says. "Encryption should not be too hard for healthcare providers since it is already 'baked' into most mobile devices and operating systems today." Breach Details AHMC says that although the campus where the administrative office that was the site of the theft is located is gated and patrolled by security, someone still broke into a video-monitored sixth floor office and removed the computers. The organization says it notified local police as soon as the theft was discovered on Oct. 14. After reviewing the video surveillance, police are reportedly searching for a homeless man from the area, who they allege stole the computers, according to local news media reports. The California provider organization says it had recently engaged a third-party auditing company to perform a security risk assessment and was working through its recommendations. In the wake of the theft, AHMC says it will be expediting a policy of encrypting all laptops. "In taking these actions, AHMC Healthcare is strengthening the high standards it maintains for safeguarding protected health information," its statement notes. AHMC did not respond to a request for comment. Dismissed Suit A number of major breaches, including the Advocate health breach and others involving stolen devices, have resulted in class action lawsuits. The lawsuit tied to the Advocate Health breach focuses on the organization's alleged failure to safeguard and secure data in violation of the Fair Credit Reporting Act. It alleges the organization placed affected patients at risk of identity theft andfraud. Meanwhile, a California appellate court recently dismissed a class action suit against the Board of Regents of the University of California stemming from a breach involving a 2011 burglary at the home of a UCLA Faculty Group Practice physician. An unencrypted external hard drive stolen in the burglary contained data on more than 16,000 patients treated at UCLA facilities. In dismissing the suit, which alleged UCLA failed to have reasonable controls in place to prevent the disclosure of private medical information, the court noted there was no confirmation that the affected patients' data was actually inappropriately accessed.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Big Breach Highlights Encryption's Value Audrey McNeil (Oct 28)