Staten Island University Hospital notifies patients of December theft
Technorati Tag: Security Breach
Date Reported:
5/1/08
Organization:
Staten Island University Hospital
Contractor/Consultant/Branch:
None
Victims:
Patients
Number Affected:
88,000
Types of Data:
"names, Social Security and health insurance numbers"
Breach Description:
"STATEN ISLAND, N.Y. -- Computer equipment stolen from an administrative office in Rosebank in December contained personal information about 88,000 patients who have been treated at Staten Island University Hospital."
Reference URL:
Staten Island Advance
Staten Island Advance (Video)
Report Credit:
Glenn Nyback, Staten Island Advance
Response:
From the online sources cited above:
STATEN ISLAND, N.Y. -- Computer equipment stolen from an administrative office in Rosebank in December contained personal information about 88,000 patients who have been treated at Staten Island University Hospital.
[Evan] Wow, December?!
After four months with no arrests, hospital administrators are just now beginning the process of sending letters to patients whose names, Social Security and health insurance numbers were contained in computer files on a desktop computer and a backup hard drive stolen Dec. 29 from one of the hospital's finance offices at 1 Edgewater Plaza.
[Evan] A desktop computer and backup hard drive, likely without encryption and containing sensitive personal information is generally poor information security practice. There was no mention of encryption in the news report, so I will assume that it was not present.
"The hospital is in the process of issuing a letter of information to each patient involved in which one year of free credit monitoring is being offered,"
[Evan] As stated in numerous Breach Blog postings, true credit monitoring only alerts an individual AFTER fraud has already taken place. A Social Security number and other personal information does not expire or become ineffective after a year, so how good is one year of protection?
Ms. Ryback said no medical records were included in the files
wouldn't speculate why SIUH waited so long to notify people. "I'm not going to get into that," she said.
Police described the suspect -- caught on a surveillance camera -- as a black man between 30 and 40 years old. The man is seen walking out carrying the computer equipment in a cardboard box.
[Evan] The video of the theft is here. Its almost surreal to watch someone walk away with something that is very valuable to many people.
"at this time, there is no reason to believe that patient information from the stolen computer has been misused."
[Evan] Nope. The thief has not called the hospital to inform them that he is misusing the information.
Ms. Ryback said that, while the motive for the theft is open to question, it appears that it might have been purely for the value of the equipment.
"We take this opportunity to offer our apologies to the patients who are affected by the theft,"
"We reassure our patients and community that, as always, we regard patient confidentiality as one of our highest priorities, and in this regard, we are working to take additional steps to protect patient information and to reduce the possibility of computer theft in the future."
[Evan] Like what? Provide some details. Tell your customers/patients specifically what you plan to do in order to protect the information that belongs to them.
Without elaborating, Ms. Ryback said that "all you can do is be more security-conscious."
[Evan] Uh, no. This is not all you can do. Being security-conscious is important, but it is far, far, far from all you can do. How much weight should we put behind a statement like this? It's obvious that Ms. Ryback is not qualified to quantify "all you can do".
Police are asking for the public's help in catching a thief who made off with computer equipment from a Staten Island administrative building occupied by Staten Island University Hospital.
Police ask that anyone with information about the theft call NYPD's Crimestopper Hotline at 800-577-TIPS.
Citizen/Victim Reaction:
"After 4 months? Why did it take so long, Ms. Ryback? and now your going to offer to watch peoples credit ? I hope they sue your pants off," one reader, goaway12, posted yesterday.
averagedude, asked, "where was security?"
youbetchabar, joked, "4 months is about the same amount of time it takes to get called in the ER," poking fun at the waiting time for emergency patients.
Commentary:
On the one hand I enjoy doing research, albeit brief research about information security breaches. On the other hand I get really offended by organizations that demonstrate a lack of due care in the handling of personal information. No organization is going to state ""We reassure our patients and community that, as always, we regard patient confidentiality as one of our lowest priorities, and in this regard, we are working to take additional steps to disclose patient information and to increase the possibility of computer theft in the future." In the end, what really matters? It's not what the organization claims, it is what it demonstrates.
I am miffed by SIUH's apparent lack of risk, information security, and incident response management.
Past Breaches:
Unknown
Date Reported:5/1/08
Organization:
Staten Island University Hospital
Contractor/Consultant/Branch:
None
Victims:
Patients
Number Affected:
88,000
Types of Data:
"names, Social Security and health insurance numbers"
Breach Description:
"STATEN ISLAND, N.Y. -- Computer equipment stolen from an administrative office in Rosebank in December contained personal information about 88,000 patients who have been treated at Staten Island University Hospital."
Reference URL:
Staten Island Advance
Staten Island Advance (Video)
Report Credit:
Glenn Nyback, Staten Island Advance
Response:
From the online sources cited above:
STATEN ISLAND, N.Y. -- Computer equipment stolen from an administrative office in Rosebank in December contained personal information about 88,000 patients who have been treated at Staten Island University Hospital.
[Evan] Wow, December?!
After four months with no arrests, hospital administrators are just now beginning the process of sending letters to patients whose names, Social Security and health insurance numbers were contained in computer files on a desktop computer and a backup hard drive stolen Dec. 29 from one of the hospital's finance offices at 1 Edgewater Plaza.
[Evan] A desktop computer and backup hard drive, likely without encryption and containing sensitive personal information is generally poor information security practice. There was no mention of encryption in the news report, so I will assume that it was not present.
"The hospital is in the process of issuing a letter of information to each patient involved in which one year of free credit monitoring is being offered,"
[Evan] As stated in numerous Breach Blog postings, true credit monitoring only alerts an individual AFTER fraud has already taken place. A Social Security number and other personal information does not expire or become ineffective after a year, so how good is one year of protection?
Ms. Ryback said no medical records were included in the files
wouldn't speculate why SIUH waited so long to notify people. "I'm not going to get into that," she said.
Police described the suspect -- caught on a surveillance camera -- as a black man between 30 and 40 years old. The man is seen walking out carrying the computer equipment in a cardboard box.
[Evan] The video of the theft is here. Its almost surreal to watch someone walk away with something that is very valuable to many people.
"at this time, there is no reason to believe that patient information from the stolen computer has been misused."
[Evan] Nope. The thief has not called the hospital to inform them that he is misusing the information.
Ms. Ryback said that, while the motive for the theft is open to question, it appears that it might have been purely for the value of the equipment.
"We take this opportunity to offer our apologies to the patients who are affected by the theft,"
"We reassure our patients and community that, as always, we regard patient confidentiality as one of our highest priorities, and in this regard, we are working to take additional steps to protect patient information and to reduce the possibility of computer theft in the future."
[Evan] Like what? Provide some details. Tell your customers/patients specifically what you plan to do in order to protect the information that belongs to them.
Without elaborating, Ms. Ryback said that "all you can do is be more security-conscious."
[Evan] Uh, no. This is not all you can do. Being security-conscious is important, but it is far, far, far from all you can do. How much weight should we put behind a statement like this? It's obvious that Ms. Ryback is not qualified to quantify "all you can do".
Police are asking for the public's help in catching a thief who made off with computer equipment from a Staten Island administrative building occupied by Staten Island University Hospital.
Police ask that anyone with information about the theft call NYPD's Crimestopper Hotline at 800-577-TIPS.
Citizen/Victim Reaction:
"After 4 months? Why did it take so long, Ms. Ryback? and now your going to offer to watch peoples credit ? I hope they sue your pants off," one reader, goaway12, posted yesterday.
averagedude, asked, "where was security?"
youbetchabar, joked, "4 months is about the same amount of time it takes to get called in the ER," poking fun at the waiting time for emergency patients.
Commentary:
On the one hand I enjoy doing research, albeit brief research about information security breaches. On the other hand I get really offended by organizations that demonstrate a lack of due care in the handling of personal information. No organization is going to state ""We reassure our patients and community that, as always, we regard patient confidentiality as one of our lowest priorities, and in this regard, we are working to take additional steps to disclose patient information and to increase the possibility of computer theft in the future." In the end, what really matters? It's not what the organization claims, it is what it demonstrates.
I am miffed by SIUH's apparent lack of risk, information security, and incident response management.
Past Breaches:
Unknown
Posted by Evan Francen at 5/1/2008 2:58 PM 
Categories: Stolen Computer, Staten Island University Hospital
Categories: Stolen Computer, Staten Island University Hospital
Posts Atom 1.0
Comments