Stolen University Health Care laptop requires notification of 4800
Technorati Tag: Security Breach
Date Reported:
3/13/08
Organization:
University of Utah
Contractor/Consultant/Branch:
University Health Care
Victims:
patients
Number Affected:
4,800
Types of Data:
"names, social security numbers and personal health information"
Breach Description:
"Possibly 4,800 patient’s information could be compromised, when a laptop with names, social security numbers and personal health information was stolen from University Healthcare"
Reference URL:
KUTV Channel 2 News
Report Credit:
KUTV Channel 2
Response:
From the online source cited above:
Possibly 4,800 patient’s information could be compromised, when a laptop with names, social security numbers and personal health information was stolen from University Healthcare over two weeks ago.
The hospital says that someone broke into a locked office and took a lap top and a flash drive.
The hospital does not believe that whoever stole the laptop was searching for the patient’s information.
[Evan] What leads the hospital to believe this? There's no money in selling or using compromised confidential information, right? WRONG!
The hospital also says that the laptop is password protected and it is confident that the person who stole the laptop will not be able to access the information.
[Evan] Seriously, remarks like this demonstrate complete information security incompetence.
The information on the laptop is varies for patients. Not all patients have social security numbers listed with the hospital.
University Healthcare began mailing out letters to people affected by the theft this week
The University Healthcare is trying to figure out which patients had information on that computer and what the information was. The hospital says that this process caused the notification delay.
[Evan] Not knowing what confidential information is where is a very common problem in today's organizations.
University Healthcare is providing the 4800 patients with a year of free credit monitoring and is making changes in their policy.
[Evan] I feel like doing some math. The cost for full disk laptop encryption, maybe $100 - 150. The cost for investigation of the breach (say 20 hours @ $100/hr.), reconstruction (say 20 hours @ $100/hr.), notification ($300 to draft letter and maybe $2,400 to address and mail), and credit monitoring ($15/mo. x 12 months x 4800 customers) might cost $870,000. Maybe the hospital didn't believe they would ever lose a laptop or have one stolen that contained sensitive information. Risk management anyone?!
Employees will no longer be allowed to download sensitive information onto laptops, even if they're password protected.
[Evan] This is not the root of the problem. We have an information security governance and management problem. No easy fix.
University Healthcare apologizes for the problem and the notification delay.
Commentary:
It's Friday! I have some time on my hands, and I am getting tired of poor security of personal information. I go through phases.
One thing that is worth mentioning, we (meaning information security personnel) must go through the arduous task of data inventory and classification if we are to be effective. We should know what confidential information we create, collect, store, transfer, and/or destroy. We need to know where confidential information is throughout the lifecycle. We need to know what the threats are. We need to know what the vulnerabilities are. We need to know what the risks are. We need to know the costs of compromise (hard and soft dollars) when possible. We need to know the costs of protection. Maybe most importantly, we need to measure all of our efforts against the organizational goals and objectives. The list goes on and on and on.
If you are charged with securing your company's information assets, you need to understand that this is a serious business and not for the faint of heart. We don't just password protect and install firewalls for a living. We solve complex technical and political problems every day. If you need additional training (we all do) then get it. Don't look for shortcuts, because there aren't any. The dichotomy is that most effective solutions are simple and not complex. Simple sometimes gets confused with shortcut, but a shortcut is lazy. The money is good, but the challenges are GREAT.
OK, I've rambled enough. I'm stepping down from the podium now. Thanks for reading!
Past Breaches:
Unknown
Date Reported:3/13/08
Organization:
University of Utah
Contractor/Consultant/Branch:
University Health Care
Victims:
patients
Number Affected:
4,800
Types of Data:
"names, social security numbers and personal health information"
Breach Description:
"Possibly 4,800 patient’s information could be compromised, when a laptop with names, social security numbers and personal health information was stolen from University Healthcare"
Reference URL:
KUTV Channel 2 News
Report Credit:
KUTV Channel 2
Response:
From the online source cited above:
Possibly 4,800 patient’s information could be compromised, when a laptop with names, social security numbers and personal health information was stolen from University Healthcare over two weeks ago.
The hospital says that someone broke into a locked office and took a lap top and a flash drive.
The hospital does not believe that whoever stole the laptop was searching for the patient’s information.
[Evan] What leads the hospital to believe this? There's no money in selling or using compromised confidential information, right? WRONG!
The hospital also says that the laptop is password protected and it is confident that the person who stole the laptop will not be able to access the information.
[Evan] Seriously, remarks like this demonstrate complete information security incompetence.
The information on the laptop is varies for patients. Not all patients have social security numbers listed with the hospital.
University Healthcare began mailing out letters to people affected by the theft this week
The University Healthcare is trying to figure out which patients had information on that computer and what the information was. The hospital says that this process caused the notification delay.
[Evan] Not knowing what confidential information is where is a very common problem in today's organizations.
University Healthcare is providing the 4800 patients with a year of free credit monitoring and is making changes in their policy.
[Evan] I feel like doing some math. The cost for full disk laptop encryption, maybe $100 - 150. The cost for investigation of the breach (say 20 hours @ $100/hr.), reconstruction (say 20 hours @ $100/hr.), notification ($300 to draft letter and maybe $2,400 to address and mail), and credit monitoring ($15/mo. x 12 months x 4800 customers) might cost $870,000. Maybe the hospital didn't believe they would ever lose a laptop or have one stolen that contained sensitive information. Risk management anyone?!
Employees will no longer be allowed to download sensitive information onto laptops, even if they're password protected.
[Evan] This is not the root of the problem. We have an information security governance and management problem. No easy fix.
University Healthcare apologizes for the problem and the notification delay.
Commentary:
It's Friday! I have some time on my hands, and I am getting tired of poor security of personal information. I go through phases.
One thing that is worth mentioning, we (meaning information security personnel) must go through the arduous task of data inventory and classification if we are to be effective. We should know what confidential information we create, collect, store, transfer, and/or destroy. We need to know where confidential information is throughout the lifecycle. We need to know what the threats are. We need to know what the vulnerabilities are. We need to know what the risks are. We need to know the costs of compromise (hard and soft dollars) when possible. We need to know the costs of protection. Maybe most importantly, we need to measure all of our efforts against the organizational goals and objectives. The list goes on and on and on.
If you are charged with securing your company's information assets, you need to understand that this is a serious business and not for the faint of heart. We don't just password protect and install firewalls for a living. We solve complex technical and political problems every day. If you need additional training (we all do) then get it. Don't look for shortcuts, because there aren't any. The dichotomy is that most effective solutions are simple and not complex. Simple sometimes gets confused with shortcut, but a shortcut is lazy. The money is good, but the challenges are GREAT.
OK, I've rambled enough. I'm stepping down from the podium now. Thanks for reading!
Past Breaches:
Unknown
Posted by Evan Francen at 3/14/2008 10:22 AM 
Categories: University Health Care, Stolen Laptop, University of Utah
Categories: University Health Care, Stolen Laptop, University of Utah
Posts Atom 1.0
Comments