Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« HIPAA and Insider Threat Example: Heathcare Worker Continues to Access Employee and Patient Data After Quitting | Main | AOL CTO & 2 Other Employees Resigned...Or Fired?...for Privacy Breach of ~658,000 Users »

Another Laptop Stolen With Personal Patient Information: HIPAA & Breach Notification

Yet another...and another...in the ongoing saga of stolen laptop computers was recently reported.

Last Thursday South Florida's Herald Tribune reported healthcare provider PSA HealthCare, reported a laptop containing cleartext information about 51,000 patients was stolen from an employee's car on July 15.

"The computer contained personal information on current and former patients, including their names, addresses, Social Security numbers and medical case information.  It did not include banking information or credit card numbers, and the computer was password-protected, the company said.  The company quietly announced the data theft in an Aug. 4 press release titled "PSA HealthCare Announces Data Security Update."  The company notified patients and their families four days later, in a letter dated Aug. 8, more than three weeks after the computer was stolen.  "That's what was so staggering to me," said Bradenton resident Virginia Robertson, who received the letter last week. Her mother is a PSA HealthCare client.  "It took them this long to get the information to the people that were affected by it. It would have given someone time to do some damage.""

The article goes on to indicate PSA Healthcare "is improving its data security policies."  They are a HIPAA covered entity; they should have identified weaknesses within their policies as part of their compliance activities.  It is really too bad the Department of Health and Human Services does not seek to enforce this *law*...this really seems like a good candidate for HIPAA noncompliance actions.

It is also worth noting that the PSA Healthcare site does not make a HIPAA-mandated Notice of Privacy Practices statement available on their site...if they do, it certainly was hiding from me when I looked there.  Another potential HIPAA infraction if the HHS should have the notion to pursue it.

"Kohl said PSA HealthCare had policies preventing employees from taking data out of its offices. "That has been dealt with from a disciplinary standpoint," he said, declining to elaborate.  That didn't satisfy Robertson.  "If they say they had a company policy against it, why in the world would the company allow someone to download personal information into a laptop in the first place?" she said."

Exactly!  Not only do courts and regulatory oversight agencies look at enforcement of policies and the associated sanctions leveled, but customers/patients/consumers also want to know that policies aren't just empty words...meaningless promises.  Non-enforcement of policies can have major negative impact on an organization.  Business leaders need to understand that policies are basically another form of legally binding contract.  To date web site privacy policies have been the one most aggressively monitored for compliance, noticeably by the FTC.  However, as more incidents occur, the noncompliance penalties and fines net will expand to include consideration of whether or not companies are following and enforcing their own policies.

This incident came soon after a Department of Transportation laptop was stolen from a Miami-Dade Florida employee's car; that laptop contained 133,000 driver's license and pilot license records, was NOT encrypted, but was "password protected."  There is still no news about whether that computer was ever recovered; but even when it is, there is no way to tell whether or not the files have been copied and distributed, sold, or otherwise misused, until the involved individuals become victims of subsequent crimes.

These types of stolen and lost laptops reports have many similarities and almost always indicate that 1) the data was not encrypted, 2) there was a policy against such activity that led to the incident, and 3) that the information security practices were being improved as a result.

Before an incident happens, use encryption to protect sensitive data that is in the hands, and under the control, of end-users.  Moving data is vulnerable data; encrypt it on laptops and other mobile computers, when it is used by remote users, and when it is traveling through at risk networks, such as the Internet.

Review information security programs to find gaps with compliance for the policies you have, and in addressing important topics within your policies.  HIPAA and GLBA require you to do this if you are a covered entity under these regulations.

Don't settle for a mediocre information security program; make sure yours is effective and adequately addresses your business risks, reducing them to an acceptable level.  Most incidents expose information security programs that are not up to par.

Technorati Tags








 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 20, 2006 5:07 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/162

Listed below are links to weblogs that reference Another Laptop Stolen With Personal Patient Information: HIPAA & Breach Notification:

» AOLers fall on swords (and browser choices) from IT Blogwatch
You're fired! It's IT Blogwatch, in which AOL's CTO and others "resign" over its earlier privacy breach. Not to mention what your choice of browser says about you... [Read More]

Tracked on August 22, 2006 5:54 AM

Comments

Four out of five US companies have lost at least one laptop containing sensitive information over the past year. Indeed only one in 10 companies say there was no sensitive or confidential info on the lost laptop. But worse still, most companies are ignorant about what's actually on the missing hardware. Read more at:

http://www.soxfirst.com/50226711/lost_laptop_lunacy.php

Posted by: Sox First | August 22, 2006 2:50 PM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.