in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: Cord Blood Registry Announces Loss Of Computer, Backup Tapes

Databreaches.net has an entry on Cord Blood Registry (CBR), a company that deals with cord blood (a source of, erm, "non-controversial" stem cells.  Sorry, had to mention it because of all the issues surrounding it).  According to CBR, via databreaches.net, a computer and backup tapes were stolen from an employee's car.  No word on what was on the computer, but it was made clear that the tapes, which did contain personal information, were not protected with data encryption software like AlertBoot.

Sensitive Information Lost, Not HIPAA-Covered

Based on the databreaches.net page, it appears that the tapes contained sensitive data, including customer names, SSNs, driver's license numbers, and credit card numbers, but not necessarily for everyone.  Despite the nature of the information, encryption software was not used on the backup tapes, which is, per my experience, not unusual (although, from a data security standpoint, it really should be).

The tapes and the computer -- plus other items -- were stolen from an employee's car, which was locked.  Approximately 300,000 people are being contacted due to the breach.  Except for the large number of people, this episode doesn't sound too different from countless others.

Except for this:

According to the spokesperson’s statement, CBR is not a HIPAA-covered entity and the breach did not involve any health information. [databreaches.net]

It doesn't sound right, right?  After all, what could be more medical than cord blood?

Are SSNs Health Information?

In brief, yes.  I may not be a lawyer, but I know how to read English.  Under a section titled "What Information is Protected," the Office for Civil Rights (OCR) at hhs.gov notes (all emphases mine):

Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

"Individually identifiable health information" is information, including demographic data, that relates to:

  • the individuals past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

While SSNs are not technically "health information" because they don't relate to one's physical health and medical data, they are considered to be PHI under HIPAA.  I figure that the driver's license numbers they collected would also be classified as PHI.

Is Cord Blood Registry Covered by HIPAA?

Apparently, the answer is no.  For starters, there are the spokesperson's words, and I don't doubt that person.  I did find one source that could raise questions, where the CRB notes in a press release about "efforts to ensure strict compliance with HIPAA regulations" but it could possibly be someone's mistake while writing up a press release.  Or it could be something else.

Perhaps HIPAA does not apply to CRB, yet they're looking to comply with the rules.  For example, this is what I found on CRB's competitor, Cryo Cell.  Per their 10-K filing with the SEC (I couldn't find CRB's, which is privately held, as far as I can tell.  All emphases mine, as usual):

The Company [Cryo Cell] is not subject to HIPAA because the Company does not engage in certain electronic transactions related to the reimbursement of healthcare providers and because blood and tissue procurement and banking activities are exempt. However, the healthcare providers that collect umbilical cord blood for the Company’s customers are subject to HIPAA.

The identifiable information shared is only what is permitted by HIPAA. In 2009, a portion of the American Recovery and Reinvestment Act of 2009 modified HIPAA under the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").

While the Company is still not subject to HIPAA for the reasons stated above the Company may incur material expenses associated with compliance efforts. In addition, compliance may require management to spend substantial time and effort on compliance measures. If the Company fails to comply with HIPAA, it could suffer criminal and civil penalties. The civil penalties could include monetary penalties ranging from $100 per violation to $1.5 million depending on the level of violation.

Here you have another company that is apparently not a HIPAA-covered entity, and yet is spending money to be in compliance with it (and fears being penalized despite not being covered by the law.  Yeah, I don't get it).

For all I know, CBR could be in the same position, and hence their position that they're not a covered entity, and yet is behaving like one when it comes to this particular breach.


Related Articles and Sites:
http://www.databreaches.net/?p=16962

 
<Previous Next>

Data Protection: Beebe Medical Center Announces Data Breach

Drive Encryption Software: Class Action Status Against Banque Nationale du Canada Allowed

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.