Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Passport Breach: Poor Security Practices Lead To Privacy Breaches | Main | The Benefits of a Privacy Ombudsman »

Yet Another Stolen Laptop With Clear Text Patient PII

Yet another in a long procession of laptop thefs, "Stolen laptop contains personal info of 2,500 patients".

Here are the first few paragraphs...

"WASHINGTON (CNN) -- A government laptop computer stolen last month held unencrypted medical records of 2,500 participants in a government study, Susan Shirin, deputy director of the National Heart, Lung and Blood Institute (NHLBI) told CNN Monday.

The incident prompted the NHLBI to issue a statement saying it would no longer store patient medical information on laptops.

The lack of encryption violated federal guidelines dating back to 2006. Shurin told CNN the stolen laptop "fell through the cracks" and should have been encrypted. A thorough review of other laptops containing sensitive information is under way, she said.

The computer was stolen on February 23 from the trunk of a senior employee's car, Shurin said. It contained the names, birthdays, medical record numbers and diagnoses of patients who participated in a heart disease clinical trial study conducted by NHLBI from 2001 to 2007.

Patients were informed last week of the breach, after an investigation determined the laptop contained sensitive information. The theft appears to have been random, according to a statement from the institute's director."

And from a little later in the article...

"Greg Wilshusen, director of information security issues at the Government Accounting Office (GAO), said the incident could be the tip of the iceberg.

"These types of incidents are not unusual. Several government agencies have reported them," said Wilshusen. "The number of government security incidents has increased from 3,600 reported cases in 2005 to 13,000 in 2007, an increase of 250 percent."

Wilshusen said the increase is partly because a mobile workforce is requiring information to be stored on laptops and other mobile devices, placing private information at greater risk of being accessed, stolen or compromised."

The tip of the iceberg has turned into a mountain considering all the laptops that have already been lost and stolen.

I talk about this often with organizations and within my presentations and 2-day workshop.

Maybe the U.S. government should create a "No Laptop Left Behind" program...and penalize those agencies who have such incidents.

Another incident to add to your files, along with the same lessons learned...

  • Do not allow personally identifiable information (PII) to be stored on mobile computers or mobile storage devices. If it is necessary to do so for business reasons, then make sure it is strongly encrypted.
  • Organizations, in all sectors, must have effective information security and privacy programs that include policies, supporting procedures, periodic EFFECTIVE training, and ongoing awareness communications.
Tags:                            
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on March 25, 2008 9:31 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/689

Comments

It is hard to imagine how people are misplacing so many laptops. I have had the same laptop for 3 years now, and I still have it.

I can imagine that these problems are going to increase exponentially when the government begins issuing out Macbook Airs to their employees, lol.

Posted by: Laptop Auction House | March 25, 2008 11:20 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.