Equipment stolen from the home of Health Service Executive employee
Technorati Tag: Security Breach
Date Reported:
9/10/08
Organization:
The Government of Ireland
Contractor/Consultant/Branch:
Health Service Executive*
*"The Health Service Executive (HSE) is responsible for providing Health and Personal Social Services for everyone living in the Republic of Ireland.
It is the largest organisation in the State, employing over 130,000 people, with a budget of €14.7 billion, operating 24 hours a day, seven days a week." (Source: "About the HSE")
Location:
Ireland
Victims:
"health workers"
Number Affected:
"about 1,150"
Types of Data:
"sensitive medical information" "name, address, date of birth, telephone numbers. GP name and address, and information on the occupation of the workers"
Breach Description:
"THE Health Service Executive (HSE) has apologised to more than 1,000 healthcare workers whose personal details were lost when computer equipment was stolen from a staff member’s home."
Reference URL:
Irish Times
Irish Examiner
Independent News
Report Credit:
Elaine Edwards, Irish Times
Response:
From the online sources cited above:
The Data Protection Commissioner has sought a meeting with Health Service Executive (HSE) management after a laptop, phone and data disk with personal information about 1,150 health workers was stolen from a staff member's home.
[Evan] Sensitive information needs the same level of protection whether it is at the office, with a partner, or at home. Organizations enable a mobile workforce, primarily to enhance productivity, yet too often they misunderstand or ignore the information security ramifications (risks) involved.
The HSE confirmed today the laptop, Blackberry and data disc were stolen from the home of a staff member last Wednesday, September 3rd.
the laptop was 'password protected, but was not encrypted'
[Evan] This is unacceptable. Give an intermediate (maybe novice) computer user 10 minutes with this laptop and they will have access to the information.
The HSE said the theft was reported to gardai and to the Data Protection Commissioner.
"The staff member concerned is a senior medical officer in public health medicine and the laptop and data disc contained personal information gathered for the purposes of a survey on the provision of the influenza vaccine to 1,150 healthcare workers in autumn 2007," the HSE said.
[Evan] If "senior" personnel are not following good information security practice, how does an organization expect more junior personnel to, or anyone for that matter?
"An electronic copy of the consent form that was signed by the healthcare workers involved was contained on the stolen disc. The forms contain routine information similar to that requested from recipients of other vaccines - name, address, date of birth, contact telephone number, GP name and data relating to occupation."
The HSE began notifying the staff members concerned
It had also made a helpline available to the individuals and had apologised for the concern the theft may cause.
"The HSE is satisfied that the immediate cancellation of the Blackberry account has minimised any risk with regard to this particular theft."
It said "further consultation" on the information contained on the laptop is currently underway.
The health authority said initiated the process of encrypting all personal technological devices last year and had prioritised the encryption of all devices that contain "personal and medically sensitive data".
[Evan] It's great that HSE is in the process of encrypting mobile devices, but it seems wise to not allow offsite use until the process is complete for a particular device.
It said it planned to have all devices encrypted by the end of September.
Deputy data protection commissioner Gary Davis told Newstalk radio: "Our concern is how this type of information, revealing health information, came to be in somebody’s house in an unencrypted format."
Commentary:
Mobile devices such as laptops, PDAs, flash drives, etc. are great tools to enhance productivity and convenience. Unfortunately, these same devices can be disastrous to information security. Most people know this, but far too few do much about it.
On a separate note, do UK and Irish people write and speak funny or is it me?
Past Breaches:
The Government of Ireland:
August, 2008 - Sixteen laptops over ten years are stolen from the Irish Office of Comptroller and Auditor General
Date Reported:9/10/08
Organization:
The Government of Ireland
Contractor/Consultant/Branch:
Health Service Executive*
*"The Health Service Executive (HSE) is responsible for providing Health and Personal Social Services for everyone living in the Republic of Ireland.
It is the largest organisation in the State, employing over 130,000 people, with a budget of €14.7 billion, operating 24 hours a day, seven days a week." (Source: "About the HSE")
Location:
Ireland
Victims:
"health workers"
Number Affected:
"about 1,150"
Types of Data:
"sensitive medical information" "name, address, date of birth, telephone numbers. GP name and address, and information on the occupation of the workers"
Breach Description:
"THE Health Service Executive (HSE) has apologised to more than 1,000 healthcare workers whose personal details were lost when computer equipment was stolen from a staff member’s home."
Reference URL:
Irish Times
Irish Examiner
Independent News
Report Credit:
Elaine Edwards, Irish Times
Response:
From the online sources cited above:
The Data Protection Commissioner has sought a meeting with Health Service Executive (HSE) management after a laptop, phone and data disk with personal information about 1,150 health workers was stolen from a staff member's home.
[Evan] Sensitive information needs the same level of protection whether it is at the office, with a partner, or at home. Organizations enable a mobile workforce, primarily to enhance productivity, yet too often they misunderstand or ignore the information security ramifications (risks) involved.
The HSE confirmed today the laptop, Blackberry and data disc were stolen from the home of a staff member last Wednesday, September 3rd.
the laptop was 'password protected, but was not encrypted'
[Evan] This is unacceptable. Give an intermediate (maybe novice) computer user 10 minutes with this laptop and they will have access to the information.
The HSE said the theft was reported to gardai and to the Data Protection Commissioner.
"The staff member concerned is a senior medical officer in public health medicine and the laptop and data disc contained personal information gathered for the purposes of a survey on the provision of the influenza vaccine to 1,150 healthcare workers in autumn 2007," the HSE said.
[Evan] If "senior" personnel are not following good information security practice, how does an organization expect more junior personnel to, or anyone for that matter?
"An electronic copy of the consent form that was signed by the healthcare workers involved was contained on the stolen disc. The forms contain routine information similar to that requested from recipients of other vaccines - name, address, date of birth, contact telephone number, GP name and data relating to occupation."
The HSE began notifying the staff members concerned
It had also made a helpline available to the individuals and had apologised for the concern the theft may cause.
"The HSE is satisfied that the immediate cancellation of the Blackberry account has minimised any risk with regard to this particular theft."
It said "further consultation" on the information contained on the laptop is currently underway.
The health authority said initiated the process of encrypting all personal technological devices last year and had prioritised the encryption of all devices that contain "personal and medically sensitive data".
[Evan] It's great that HSE is in the process of encrypting mobile devices, but it seems wise to not allow offsite use until the process is complete for a particular device.
It said it planned to have all devices encrypted by the end of September.
Deputy data protection commissioner Gary Davis told Newstalk radio: "Our concern is how this type of information, revealing health information, came to be in somebody’s house in an unencrypted format."
Commentary:
Mobile devices such as laptops, PDAs, flash drives, etc. are great tools to enhance productivity and convenience. Unfortunately, these same devices can be disastrous to information security. Most people know this, but far too few do much about it.
On a separate note, do UK and Irish people write and speak funny or is it me?
Past Breaches:
The Government of Ireland:
August, 2008 - Sixteen laptops over ten years are stolen from the Irish Office of Comptroller and Auditor General
Posts Atom 1.0
Comments