Yet another…and another…in the ongoing saga of stolen laptop computers was recently reported.
Last Thursday South Florida’s Herald Tribune reported healthcare provider PSA HealthCare, reported a laptop containing cleartext information about 51,000 patients was stolen from an employee’s car on July 15.
"The computer contained personal information on current and former patients, including their names, addresses, Social Security numbers and medical case information. It did not include banking information or credit card numbers, and the computer was password-protected, the company said. The company quietly announced the data theft in an Aug. 4 press release titled "PSA HealthCare Announces Data Security Update." The company notified patients and their families four days later, in a letter dated Aug. 8, more than three weeks after the computer was stolen. "That’s what was so staggering to me," said Bradenton resident Virginia Robertson, who received the letter last week. Her mother is a PSA HealthCare client. "It took them this long to get the information to the people that were affected by it. It would have given someone time to do some damage.""
The article goes on to indicate PSA Healthcare "is improving its data security policies." They are a HIPAA covered entity; they should have identified weaknesses within their policies as part of their compliance activities. It is really too bad the Department of Health and Human Services does not seek to enforce this *law*…this really seems like a good candidate for HIPAA noncompliance actions.
It is also worth noting that the PSA Healthcare site does not make a HIPAA-mandated Notice of Privacy Practices statement available on their site…if they do, it certainly was hiding from me when I looked there. Another potential HIPAA infraction if the HHS should have the notion to pursue it.
"Kohl said PSA HealthCare had policies preventing employees from taking data out of its offices. "That has been dealt with from a disciplinary standpoint," he said, declining to elaborate. That didn’t satisfy Robertson. "If they say they had a company policy against it, why in the world would the company allow someone to download personal information into a laptop in the first place?" she said."
Exactly! Not only do courts and regulatory oversight agencies look at enforcement of policies and the associated sanctions leveled, but customers/patients/consumers also want to know that policies aren’t just empty words…meaningless promises. Non-enforcement of policies can have major negative impact on an organization. Business leaders need to understand that policies are basically another form of legally binding contract. To date web site privacy policies have been the one most aggressively monitored for compliance, noticeably by the FTC. However, as more incidents occur, the noncompliance penalties and fines net will expand to include consideration of whether or not companies are following and enforcing their own policies.
This incident came soon after a Department of Transportation laptop was stolen from a Miami-Dade Florida employee’s car; that laptop contained 133,000 driver’s license and pilot license records, was NOT encrypted, but was "password protected." There is still no news about whether that computer was ever recovered; but even when it is, there is no way to tell whether or not the files have been copied and distributed, sold, or otherwise misused, until the involved individuals become victims of subsequent crimes.
These types of stolen and lost laptops reports have many similarities and almost always indicate that 1) the data was not encrypted, 2) there was a policy against such activity that led to the incident, and 3) that the information security practices were being improved as a result.
Before an incident happens, use encryption to protect sensitive data that is in the hands, and under the control, of end-users. Moving data is vulnerable data; encrypt it on laptops and other mobile computers, when it is used by remote users, and when it is traveling through at risk networks, such as the Internet.
Review information security programs to find gaps with compliance for the policies you have, and in addressing important topics within your policies. HIPAA and GLBA require you to do this if you are a covered entity under these regulations.
Don’t settle for a mediocre information security program; make sure yours is effective and adequately addresses your business risks, reducing them to an acceptable level. Most incidents expose information security programs that are not up to par.
Technorati Tags
information security
IT compliance
regulatory compliance
stolen laptop
HIPAA
patient privacy incident
policies and procedures
awareness and training
privacy