Big Breach Highlights Encryption's Value

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/big-breach-highlights-encryptions-value-a-6168

The theft of two unencrypted laptop computers from an administrative office
of a California healthcare provider has potentially exposed information on
729,000 patients.

The laptops were stolen on Oct. 12 from Alhambra, Calif.-basedAMHC
Healthcare Inc., which operates six hospitals in the state. Information on
the computers included patient names; Medicare or insurance identification
numbers; diagnosis and procedure codes; and payment data, according to an
online statement from the organization.

"The primary lesson to be learned is that the cost to prevent mobile device
data breaches is far less than the cost of breach mitigation," says
independent security consultant Brian Evans. "Mobile device encryption is a
low cost/high impact solution with the goal of providing protection for
confidential information.If the total number of individuals is confirmed by
federal officials, this would be the second largest health databreach
reported so far this year. The biggest confirmed breach for 2013 on the
Department of Health and Human Services' "wall of shame" website also
involves the theft of unencrypted computers. Four desktop devices were
stolen in July from Advocate Medical Group, a physician group practice in
Chicago, affecting about 4 million individuals.

As of Oct. 23, the HHS tally included 682 major breaches affecting a total
of 26.9 million individuals since September 2009, when the HIPAA breach
notification rule went into effect. The loss or theft of unencrypted
computers, storage media and other devices is the No. 1 cause of breaches
on the tally.

So why do so many organizations still fail to encrypt? "In my experience,
the primary drivers preventing encryption are competing priorities and a
lack of leadership and staffing resources to make it happen" Evans says.
"Encryption should not be too hard for healthcare providers since it is
already 'baked' into most mobile devices and operating systems today."

Breach Details

AHMC says that although the campus where the administrative office that was
the site of the theft is located is gated and patrolled by security,
someone still broke into a video-monitored sixth floor office and removed
the computers. The organization says it notified local police as soon as
the theft was discovered on Oct. 14. After reviewing the video
surveillance, police are reportedly searching for a homeless man from the
area, who they allege stole the computers, according to local news media
reports.

The California provider organization says it had recently engaged a
third-party auditing company to perform a security risk assessment and was
working through its recommendations. In the wake of the theft, AHMC says it
will be expediting a policy of encrypting all laptops. "In taking these
actions, AHMC Healthcare is strengthening the high standards it maintains
for safeguarding protected health information," its statement notes.

AHMC did not respond to a request for comment.

Dismissed Suit

A number of major breaches, including the Advocate health breach and others
involving stolen devices, have resulted in class action lawsuits. The
lawsuit tied to the Advocate Health breach focuses on the organization's
alleged failure to safeguard and secure data in violation of the Fair
Credit Reporting Act. It alleges the organization placed affected patients
at risk of identity theft andfraud.

Meanwhile, a California appellate court recently dismissed a class action
suit against the Board of Regents of the University of California stemming
from a breach involving a 2011 burglary at the home of a UCLA Faculty Group
Practice physician. An unencrypted external hard drive stolen in the
burglary contained data on more than 16,000 patients treated at UCLA
facilities. In dismissing the suit, which alleged UCLA failed to have
reasonable controls in place to prevent the disclosure of private medical
information, the court noted there was no confirmation that the affected
patients' data was actually inappropriately accessed.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.