All I can say is “WOW!” I wonder how much this is going to cost the hospitals. How much damage is done to their reputation? What kind of government settlement, oversight and years of scrutiny will this cost the hospitals when the regulatory agencies are done negotiating with them on penalties and remediation?
Here is the gist of the story:
Thieves made off with the personal health records of an estimated 1.7 million New Yorkers' when they stole backup tapes from four Bronx hospitals In December. According to statement issued by the 14-hospital system on Feb. 11, computer backup tapes were stolen containg the records. The report came just days after the New York City Health and Hospitals Corporation began notifying victims Feb. 9. While it took HHC nearly two months before reporting the data breach, it was well within the 60-day period required by New York state law.
It reportedly took HHC this long to sort through the files and assess what kind of information the tapes had contained, and who the data belonged to, before reporting the data breach. According the hospital group, "the tapes contained full name, address, Social Security number, medical record number, health insurance information, diagnosis and treatment data, telephone numbers, birth, admission and discharge dates, and mother's maiden name, according to HHC's FAQ site. Staff, vendors, and contractors may have other personal information, such as professional licensure numbers.”
The full story is here:
I have had discussions with a few people about this event. One person suggested that they would be OK if the tapes were made using a password. In reality, password protection is only of limited protection from those trying to access the tapes through the application software that made the backup. If someone has moderately sophisticated skills, and readily available software, they can pull the data off the tape block-by- block and/or crack the password on an unencrypted tape. The password is kind of like the locks on the door of your house, they only keep out the honest people. The determined burglar or professional thief will still get what they are after. In talking with my Director of Compliance Practices, he made it very clear in saying, "while the password is a good additional measure, verifiable deployment of encryption is the ONLY safe harbor from a breach notification requirement and potential associated penalties and civil claims."
With all of that said, this heist is one of the best arguments for an encrypted Disk-to-Disk to online data storage vault if I ever heard of one. Eliminating the physical tapes that need to be picked up by couriers, employees, etc., mitigates a huge area of risk in the whole backup process. It is also HIGHLY recommended that you use encryption on any and all media where data is stored, or when data is in transit.
There are some quality high-speed and encrypted systems available that are of the much more secure Disk-to-Disk to online data storage vault services vs. tape systems. Obviously, I blog on this topic becaue it is important and Alvaka Networks DRworx service is a solution that would have prevented this whole expensive and embarrassing debacle. For more information on this and other encryption solutions, feel free to contact me as well.