Yet Another Stolen Laptop With Clear Text Patient PII

Yet another in a long procession of laptop thefs, “Stolen laptop contains personal info of 2,500 patients“.
Here are the first few paragraphs…

“WASHINGTON (CNN) — A government laptop computer stolen last month held unencrypted medical records of 2,500 participants in a government study, Susan Shirin, deputy director of the National Heart, Lung and Blood Institute (NHLBI) told CNN Monday.
The incident prompted the NHLBI to issue a statement saying it would no longer store patient medical information on laptops.
The lack of encryption violated federal guidelines dating back to 2006. Shurin told CNN the stolen laptop “fell through the cracks” and should have been encrypted. A thorough review of other laptops containing sensitive information is under way, she said.
The computer was stolen on February 23 from the trunk of a senior employee’s car, Shurin said. It contained the names, birthdays, medical record numbers and diagnoses of patients who participated in a heart disease clinical trial study conducted by NHLBI from 2001 to 2007.
Patients were informed last week of the breach, after an investigation determined the laptop contained sensitive information. The theft appears to have been random, according to a statement from the institute’s director.”

And from a little later in the article…

“Greg Wilshusen, director of information security issues at the Government Accounting Office (GAO), said the incident could be the tip of the iceberg.
“These types of incidents are not unusual. Several government agencies have reported them,” said Wilshusen. “The number of government security incidents has increased from 3,600 reported cases in 2005 to 13,000 in 2007, an increase of 250 percent.”

Wilshusen said the increase is partly because a mobile workforce is requiring information to be stored on laptops and other mobile devices, placing private information at greater risk of being accessed, stolen or compromised.”

The tip of the iceberg has turned into a mountain considering all the laptops that have already been lost and stolen.
I talk about this often with organizations and within my presentations and 2-day workshop.
Maybe the U.S. government should create a “No Laptop Left Behind” program…and penalize those agencies who have such incidents.
Another incident to add to your files, along with the same lessons learned…

  • Do not allow personally identifiable information (PII) to be stored on mobile computers or mobile storage devices. If it is necessary to do so for business reasons, then make sure it is strongly encrypted.
  • Organizations, in all sectors, must have effective information security and privacy programs that include policies, supporting procedures, periodic EFFECTIVE training, and ongoing awareness communications.

Tags: , , , , , , , , , , , , ,

Leave a Reply