in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Laptop Encryption Software: Howard University Hospital Notifies 34,000 Patients Of Data Breach

Howard University Hospital has sent a breach notification letter, as required under HITECH's Breach Notification Rule, to 34,503 patients.  A contractor's laptop, protected only with password-protection, was stolen.  Technically speaking, though, wouldn't this have been a data breach even if the contractor had used disk encryption software like AlertBoot to secure his laptop's contents, or even if his laptop hadn't been stolen?

Contractor Violated Hospital and Federal Rules

According to wusa9.com,

The contractor, who stopped working for the hospital in December 2011, reported the theft of the laptop to police on Jan. 25. The contractor subsequently notified hospital officials...data varied in the types of information contained, but included some or all of the following: names, addresses, Social Security numbers, identification numbers, medical record numbers, birthdates, admission dates, diagnosis-related information and discharge dates.

Most of the patients affected received treatment between December 2010 and October 2011.  Some data goes as far back as 2007.  Patients are being offered one year of free identity theft monitoring service.

The site nbcwashington.com notes that,

Howard University Hospital said the contractor violated hospital and federal rules by downloading the data onto the personal computer. It said new procedures are now in place to prevent this from happening again.

The above statement leaves me wondering, "which federal rules?"

Which Rule Was Violated?

It can't be HIPAA / HITECH because it applies to covered-entities, and not business associates or contractors, as far as I know.  In fact, under this arrangement, it's correct to note that Howard University is in breach of HIPAA because they didn't have the security that stopped the contractor from accessing PHI; copying the data; or an auditing mechanism that alerted them of the contractor's actions.

The only other law that I can come up with (and this is a surefire sign that I'm not a lawyer) is the Computer Fraud and Abuse Act, which is generally applied to hackers and such.  Plus, it wouldn't really apply in this case because it covers "federal interest computers" which are defined as:

  • exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
  • which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.

I'm not saying the contractor didn't do anything wrong.  If you're a contractor who deals with sensitive data, you really ought to be using encryption software on your work computer.  That the above contractor didn't do so could have had far-reaching effects:  for example, if he was offering his services at multiple institutions, he could have triggered a PHI data breach at other HIPAA-covered institutions as well.

But, I'm wondering which federal rule he violated.


Related Articles and Sites:
http://www.nbcwashington.com/news/local/Stolen-Laptop-Howard-University-Hospital-Patients-Records-at-Risk-144635745.html
http://huhealthcare.com/healthcare/hospital/data-breach
http://www.wusa9.com/news/article/199008/158/Hospital-Acknowledges-Possible-Disclosure-Of-Patient-Records

 
<Previous Next>

Canada Disk Encryption: eHealth Data Breach Launches Internal Review

Backup Tape Encryption: California Department of Child Support Services Breaches Data On 800,000

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.