in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Drive Encryption Software: San Diego Regional Center Loses Unencrypted Backup Tape

The San Diego Regional Center has alerted their clients that a backup tape with sensitive data was lost while being shipped.  It looks like encryption software was not used to protect the contents of the tape.

Testing for Disaster Recovery

The tape was created for "disaster recovery testing."  If only this were part of that test.

The backup contained names, addresses, telephone numbers, Social Security numbers, program benefits numbers, and health and medical diagnostic information.  Parents' SSNs were also included if the client was a minor. (SDRC works with disabled individuals.)

The tape was lost when it was sent via courier service, from SDRC to the Department of Developmental Services, which is the California department that supports "individuals with developmental disabilities."

An explanation as to why a backup tape created for disaster recovery testing was sent to the DDS was not included.  (Hmm...maybe the tape was sent in case of disaster; you know, after the testing was done, they figured the DSS holding the data was a good policy).

Since we only know of this incident because one of those notified in turn alerted phiprivacy.net, there is no way to know how many have been affected.

That's Disappointing: They Already Had Instructions to Encrypt

In order to find out whether SDRC was covered under HIPAA, I venture over to their homepage.  Lo and behold, I see that they have a "Quick Facts" section with a link that reads "SECURING CONFIDERNTIAL INFORMATION"

So the link turns out to be a PDF by the DDS on "Securing Confidential Information and Data" published in November 2009, and under the recommended best practices it clearly states:

  • Encrypt information sent via email or provide as a password protected attachment and send the password in a separate communication;
  • When possible, use registered mail to send information to confirm it wasn’t intercepted or delivered to the wrong party;
  • Do not store confidential, sensitive, or personal data on non-encrypted laptops or mobile devices.
  • Do not backup data to non-encrypted media such as diskettes, memory sticks, or CDs.
    [from http://www.sdrc.org/publications/secureinfo.pdf, my emphasis]

Oh.  Oops.

At least it's good to know that they had at least given some thought to the issue of data protection.  While encryption software like AlertBoot disk encryption is not the be all, end all of data security, it cannot be argued that it would have a made a world of difference in this particular case.

The SDRC claims that the chances of a data theft are tiny because of the need for the appropriate tape drive and software ("highly specialized tape drive" is what they called it), but this is a debatable matter (as I've pointed out in this other post regarding NASA's FR-900 Ampex tape drives).


Related Articles and Sites:
http://www.phiprivacy.net/?p=4794
http://www.phiprivacy.net/wp-content/uploads/sdrc_2010.pdf

 
<Previous Next>

UK Bar Council Encryption: Which Disk Encryption To Choose?

Laptop Encryption Software: Lifehacker Shows You How To Break Into PCs

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.