US Army laptop is missing, personal data was encrypted
Technorati Tag: Security Breach
Date Reported:
12/02/08
Organization:
United States Army
Contractor/Consultant/Branch:
Bavaria Medical Department Activity (non-standard certificate)
Location:
Vilseck, Germany
Victims:
Patients (Army personnel and beneficiaries)
Number Affected:
"approximately 6,000"
Types of Data:
"names, Social Security numbers and health information"
Breach Description:
"VILSECK, Germany - U.S. Army medical officials in southeast Germany waited nearly two months before notifying more than 6,000 beneficiaries of a possible security breach regarding their personal information stored on a lost laptop computer."
Reference URL:
Stars and Stripes
Report Credit:
Kevin Dougherty, Stars and Stripes
Response:
From the online source cited above:
VILSECK, Germany - U.S. Army medical officials in southeast Germany waited nearly two months before notifying more than 6,000 beneficiaries of a possible security breach regarding their personal information stored on a lost laptop computer.
Authorities know the names, Social Security numbers and health information of at least 26 individuals were stored on the laptop, according to a news release sent Monday from the U.S. Army Medical Department Activity, Bavaria.
[Evan] Some people may question why this type of information was permitted to be stored on a laptop. As we read on (below), we see that the information is encrypted according to an Army spokesperson. Encryption significantly reduces the risk of sensitive information exposure, assuming key secrecy (password?).
However, officials said similar information on approximately 6,000 other patients also may have been on the missing computer, though they don’t know for sure.
the laptop went missing on Oct. 4.
Notices that were sent to the beneficiaries on Nov. 24 were characterized as a precaution.
The letters were addressed to not only beneficiaries in the affected region, but to people from other regional commands in the United States and elsewhere who may be affected
The release did not explain why Army medical officials waited so long to notify the public.
In a phone interview late Monday, Lt. Col. Henry Spring, the unit’s deputy commander of clinical services, attributed the delay to bureaucracy, privacy issues, the need to provide reliable information and a concern over unduly scaring people.
[Evan] I found the mention of bureaucracy interesting. We know that bureaucracy exists and we know that bureaucracy is a contributing factor to a slow notification, we just don't hear people admit it much.
"Privacy is important," Spring said.
"We are concerned about people’s privacy."
The employee who lost the laptop apparently had it in their backpack while at Nuremberg’s main train station, according to the release.
The employee, who was not named, was en route to a temporary duty assignment when they lost track of the backpack prior to boarding their train
Officials believe whoever took possession of the laptop "could not access" the data on it "because of the encryption software program," Spring said.
[Evan] The mention of encryption. I'm glad to see it.
The user must have connection to a U.S. government network, a secure Common Access Card, and a password to access the computer, the release said.
"At no point," Spring added, "did we underestimate the concern it would cause folks."
Army officials in Vilseck have established a hotline for those who have received letters.
The number is: (DSN) 476-4627, or civilian at 09662-83-4627. There is also an e-mail address people can write to: .
Commentary:
We just don't read enough stories about breaches concerning information that was encrypted. Some people could argue that this isn't even a breach at all.
Past Breaches:
United States Army:
July, 2008 - Fort Lewis soldiers exposed by laptop theft
June, 2008 - Walter Reed Army Medical Center breach through P2P
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians
Date Reported:12/02/08
Organization:
United States Army
Contractor/Consultant/Branch:
Bavaria Medical Department Activity (non-standard certificate)
Location:
Vilseck, Germany
Victims:
Patients (Army personnel and beneficiaries)
Number Affected:
"approximately 6,000"
Types of Data:
"names, Social Security numbers and health information"
Breach Description:
"VILSECK, Germany - U.S. Army medical officials in southeast Germany waited nearly two months before notifying more than 6,000 beneficiaries of a possible security breach regarding their personal information stored on a lost laptop computer."
Reference URL:
Stars and Stripes
Report Credit:
Kevin Dougherty, Stars and Stripes
Response:
From the online source cited above:
VILSECK, Germany - U.S. Army medical officials in southeast Germany waited nearly two months before notifying more than 6,000 beneficiaries of a possible security breach regarding their personal information stored on a lost laptop computer.
Authorities know the names, Social Security numbers and health information of at least 26 individuals were stored on the laptop, according to a news release sent Monday from the U.S. Army Medical Department Activity, Bavaria.
[Evan] Some people may question why this type of information was permitted to be stored on a laptop. As we read on (below), we see that the information is encrypted according to an Army spokesperson. Encryption significantly reduces the risk of sensitive information exposure, assuming key secrecy (password?).
However, officials said similar information on approximately 6,000 other patients also may have been on the missing computer, though they don’t know for sure.
the laptop went missing on Oct. 4.
Notices that were sent to the beneficiaries on Nov. 24 were characterized as a precaution.
The letters were addressed to not only beneficiaries in the affected region, but to people from other regional commands in the United States and elsewhere who may be affected
The release did not explain why Army medical officials waited so long to notify the public.
In a phone interview late Monday, Lt. Col. Henry Spring, the unit’s deputy commander of clinical services, attributed the delay to bureaucracy, privacy issues, the need to provide reliable information and a concern over unduly scaring people.
[Evan] I found the mention of bureaucracy interesting. We know that bureaucracy exists and we know that bureaucracy is a contributing factor to a slow notification, we just don't hear people admit it much.
"Privacy is important," Spring said.
"We are concerned about people’s privacy."
The employee who lost the laptop apparently had it in their backpack while at Nuremberg’s main train station, according to the release.
The employee, who was not named, was en route to a temporary duty assignment when they lost track of the backpack prior to boarding their train
Officials believe whoever took possession of the laptop "could not access" the data on it "because of the encryption software program," Spring said.
[Evan] The mention of encryption. I'm glad to see it.
The user must have connection to a U.S. government network, a secure Common Access Card, and a password to access the computer, the release said.
"At no point," Spring added, "did we underestimate the concern it would cause folks."
Army officials in Vilseck have established a hotline for those who have received letters.
The number is: (DSN) 476-4627, or civilian at 09662-83-4627. There is also an e-mail address people can write to: .
Commentary:
We just don't read enough stories about breaches concerning information that was encrypted. Some people could argue that this isn't even a breach at all.
Past Breaches:
United States Army:
July, 2008 - Fort Lewis soldiers exposed by laptop theft
June, 2008 - Walter Reed Army Medical Center breach through P2P
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians
Posts Atom 1.0
Comments