Baylor Health Care System employee is fired over stolen laptop

Technorati Tag:

Date Reported:
11/04/08

Organization:
Baylor Health Care System

Contractor/Consultant/Branch:
Health Texas Provider Network

Location:
Dallas/Fort Worth, Texas*

*incident took place in Royse City, Texas

Victims:
Patients

Number Affected:
100,000

Types of Data:
"Social security numbers and a limited amount of patient information"

Breach Description:
"A laptop computer containing limited health information on 100,000 patients was stolen from an employee's car in September, Baylor Health Care System Inc. said Monday."

Reference URL:
The Dallas Morning News
Dallas Business Journal
Baylor Health Care System Alert

Report Credit:
Jason Roberson, The Dallas Morning News

Response:
From the online sources cited above:

Dallas - November 4, 2008 - HealthTexas Provider Network (HTPN), a wholly owned subsidiary of Baylor Health Care System, announced today that it is notifying certain patients about the recent theft of a laptop computer that contained a limited amount of their personal information.
[Evan] I haven't posted a breach concerning a lost or stolen laptop in some time.  Just in case you were living on another planet, these incidents still occur (regularly).

A letter being sent to affected patients contains information about steps they can take to help protect their personal information.

The stolen laptop was being used for administrative purposes and did not contain comprehensive patient histories.
[Evan] Nor are comprehensive patient histories required in order to cause damage.

HTPN is sending notification letters to approximately 7,400 patients whose information on the laptop included their Social Security numbers and a limited amount of health information, such as a code indicating a treatment received.

The codes are a series of numbers requiring a medical code book to interpret, said Nikki Mitchell, a Baylor spokeswoman.
[Evan] Do you think that the "medical code book" is classified as confidential (or sensitive) and secured as required by such a classification?  I am guessing that the "medical code book" is not classified at all.

HTPN is also notifying up to 100,000 patients whose records on the laptop contained a limited amount of health information, but did not contain Social Security numbers.

"Although Texas state law requires us to notify only those people whose Social Security numbers were included, we are taking the extra step of notifying the additional 100,000 patients so that everyone affected is fully informed," said David Winter, M.D., chairman of HealthTexas Provider Network.
[Evan] I appreciate when a chairman (or other executive leader) comments on information security matters.  It demonstrates a certain level of understanding that they are the ones ultimately responsible for the protection of information assets.

"Fortunately, the laptop did not contain comprehensive patient medical records, and according to law enforcement officials, it is rare that incidents such as this result in identity theft."
[Evan] How does law enforcement think that identity theft occurs?  In order for identity theft to occur, a bad guy (or gal) needs access to information which is normally not disclosed because of it's sensitivity.  The information is not disclosed because it has the potential to be used in an effort to steal ones "identity".  Logic would tell us that if we make access to sensitive identity-related information more likely through poor control, we may increase the risk of identity-theft.  Yes?  No?  What I don't understand is the business decision to not encrypt laptops that may contain, collect, and/or process sensitive information.  Take the costs related to the incident; consulting costs, call center costs, PR costs, forensic analysis costs, notification costs, and other potential costs such as fines and/or fees.  How much does it cost to respond to a breach like this one?  $100,000?  $200,000?  $500,000 or more?  Now, how much does it cost to encrypt all laptops (include licensing, support, installation, administration, etc.)?

The laptop was stolen from a HTPN employee’s car between 11 p.m. and 8 a.m. on September 18 or 19 in Royse City, Texas
[Evan] Ugh.  Laptop left in a car overnight.  Obviously, not a good idea.

Since then, HTPN and the Baylor Health Care System have been working to identify the data on the laptop.

"We undertook a painstaking effort to recreate the often fragmented information on the laptop, a task that was time-consuming but essential to help ensure that we provide accurate notification," Dr. Winter said.
[Evan] How "painstaking" is it when we take a proactive information security approach?

Baylor Health Care System was in the process of upgrading its data security prior to the laptop theft.

As a result of that process, Baylor recently began installing a new computer technology that allows the organization to track laptops and to remotely erase data, if necessary.
[Evan] Really?  No encryption?  Why not?

Baylor Health Care System is offering a $1,000 reward for the return of the laptop.
[Evan] A thousand bucks is all.

No questions will be asked.

Those wishing to claim the reward may call Detective Jeff Caughron at the Baylor Department of Public Safety at .

HTPN and Baylor Health Care System are taking the following steps and providing the following resources to help patients affected by this incident.
  1. Mailing notification letters to patients whose names and other identifying information were on the laptop;
  2. Offering credit monitoring services at no charge to patients whose records included Social Security numbers
  3. Establishing a toll-free information line at 1-, open from 9 a.m. to 5 p.m. CST Monday through Friday, to respond to questions; and
  4. Establishing a website -- www.bhcsnews.com/securityassistance -- to provide information and resources.

It was within the manager's job description to visit Baylor locations collecting patient data on the laptop, but she was fired because leaving the laptop in her car broke protocol, Ms. Mitchell said.
[Evan] This is one reason why information security professionals (good ones) practice the well-known concept of defense-in-depth.  We know that some employees will circumvent policy and control.  We know that some employees will make mistakes.  So what additional (hopefully non-obtrusive) cost-effective controls can we design and employ to reduce the frequency and impact of these human-factor incidents?  Firing an employee will send a message to those paying attention.

"We take situations like this very seriously," Ms. Mitchell said.

Commentary:
Lost and/or stolen laptops containing sensitive information and inadequate controls are frustrating to read about.

Past Breaches:
Unknown


 
Trackbacks
  • No trackbacks exist for this post.
Comments
Page: 1 of 1
  • 11/5/2008 8:30 AM John O'Neill wrote:
    This comment is not specific to the Baylor incident but quite general regarding this blog. Today is my first visit. I have been following other sites which attempt to be general breach reports but have found none as comprehensive, frequently updated or clearly presented as this.

    I would like some information as follows.
    Would a member of your blog team be available to participate in our "Who's who in data" - details at:
    http://www.backupanytime.com/blog/whos-who-in-data/
    and what is your policy regarding republication of content? Given credits and link back is this allowed? I have already signed up to your newsletter.
    Thanks
    John O'Neill
    http://www.backupanytime.com/whitepaper.htm
    Reply to this

Page: 1 of 1
    Leave a comment