Breaches To-Go: You Should Take It With You

Two data breaches were recently in the news involving loss of sensitive data in similar ways. The first was announced by Associated Dermatology & Skin Cancer Clinic of Helena, MT. An employee kept a work journal that was stolen from her car. It contained information about the provision of patient care and created a breach of PHI (Physical Protected Health Information), which is a part of HIPAA regulations. The breach disclosed the PHI of 1,254 patients. Although sensitive information that could be used to steal identities was not in the journal, the potential for misusing the data is very possible. The journal held data such as patient names and ages, their physicians, notes on patient medical histories, and visit notes.

There’s no proof yet that this information is being or has been used by hackers. However, the threat of hackers using it on social media to trick patients into providing Social Security Numbers, dates of birth, and other sensitive information is serious. If hackers can find a way to steal as much personal data as possible, selling it on the Dark Web is the next step. Harm from the stolen journal data may not show up until much later; even perhaps long after an affected person drops his guard.

The second breach came about when an employee’s laptop containing the PHI of 870 patients of Michigan Medicine was stolen from his car. In fact, the laptop was the personal belonging of the staffer. Although Michigan Medicine followed all regulations and security controls regarding patient data, there was something that escaped their careful security planning. It seems the employee violated approvals and policies by downloading the data to his own personal laptop. Michigan Medicine requires all computers to use heavy encryption for data, but the only protection on this staffer’s personal laptop was his password and nothing else. It’s believed that the stolen data didn’t include information used for insurance fraud or identity theft. In this case, patients were promptly notified and told to monitor their insurance and other accounts for fraudulent activity, which is exactly what anyone who has medical information accessed in an unauthorized manner should do. This should continue for at least two years after the incident.

Quick responses by both AD&SCC in Montana and Michigan Medicine both followed HIPAA guidelines for data breaches. In these two cases, those affected were notified much sooner than required. Those quick responses could help minimize the damage from both breaches, but there’s only so much that can be done once the data is out there in cyberspace. One way hackers avoid getting caught is by releasing stolen data in a slow-drip way. In doing so, it’s much more difficult to avoid detection as opposed to releasing “data dumps” which are always much more obvious. In the case of Michigan Medicine, their concerted effort toward further employee education on patient privacy policies is admirable. According to Michigan Medicine, the goal of this training is “to further enhance key messages about the prohibited use of personal, unencrypted devices for storage of research data.” Bravo!

Lesson learned: If you must travel with phones and other devices storing work information, remember – always take them with you. And encrypt the data. You, your boss, and your patients will be glad you did.