A second breach reported from Jewish Hospital and St. Mary's HealthCare
|
Date Reported:
6/30/10
Organization:
Jewish Hospital & St. Mary's HealthCare
Contractor/Consultant/Branch:
Women’s Center at Sts. Mary & Elizabeth Hospital
Location:
Victims:
Patients
Number Affected:
77
Types of Data:
"Patient names, details on medical exams and even biopsy images"
Breach Description:
"On April 21, patients of Sts. Mary & Elizabeth Hospital Women's Center got a letter telling them a computer hard drive had been stolen from a locked area."
Reference URL:
WAVE3.com
Report Credit:
Eric Flack, WAVE3.com
Response:
From the online source cited above:
LOUISVILLE, KY (WAVE) – There has been another data breach at a Louisville hospital owned by Jewish Hospital & St. Mary's Healthcare.
[Evan] The 1st breach announcement is still available for reading online; Our Lady of Peace Public Notice
Jewish Hospital is still reeling from the disappearance of a flash drive from Our Lady of Peace.
While this data breach is much smaller, there is still cause for concern.
On April 21, patients of Sts. Mary & Elizabeth Hospital Women's Center got a letter telling them a computer hard drive had been stolen from a locked area.
[Evan] I'm not sure why WAVE Channel 3 News reports this breach on their Web site now, when patients received letters back in April. So, two breaches. One breach affected 24,600 patients and was announced on April 29th (according to the date on the public notice). This second breach affecting 77 people was also announced sometime in April, but made news now. I think I got this right.
The hard drive had medical files on 77 patients, and those files were not encrypted.
[Evan] Most organizations do not encrypt non-mobile hard drives/media. We (FRSecure) typically don't make the recommendation either, IF adequate preventative and detective physical security controls are in place and operational AND media re-use and destruction practices are sufficient. If an organization is lacking in either of these two areas (physical security/media destruction), then hard drive encryption should certainly be a very strongly considered. Of course, you could always take the approach with the least amount of risk and do all of the above.
Patient names, details on medical exams and even biopsy images were left exposed. But as was the case with the data breach at Our Lady of Peace, social security numbers, telephone numbers and home address were not.
Last week, Jewish hospital was sued for the data breach at Our Lady of Peace, which impacted 24,600 patients.
[Evan] The lawsuit has been filed by Henry & Associates, PLLC. Information about the lawsuit can be found on their site; Our Lady of Peace Lawsuit .
The hospital is now going back and looking at security of medical files in all of its hospitals, making sure anything that has a medical files, right down to a PDA, is encrypted.
[Evan] Good, but certainly don't stop there.
Louisville Metro Police are investigating the latest theft. No one has been arrested so far.
The hospital says the two incidents are not connected.
Commentary:
This doesn't come at a good time for the organization, but when is a good time for a breach anyway?
Past Breaches:
Jewish Hospital & St. Mary's HealthCare - April, 2010; Lost flash drive affects 24,600 Lady of Peace patients
Posted by Evan Francen at 7/1/2010 10:26 AM 
Categories: Stolen Media, Sts. Mary and Elizabeth Hospital, Jewish Hospital and St. Mary's HealthCare
Categories: Stolen Media, Sts. Mary and Elizabeth Hospital, Jewish Hospital and St. Mary's HealthCare
Posts Atom 1.0
Who says the two incidents were not related? They both sound like inside jobs to me and I would start with the assumption that an employee stole the hard drive as well as the USB device. Your average thief does not go into a hospital a steal a hard drive or a USB device. What kind of money could they get for that unless they were ID thieves. If they were ID thieves, but not employees, why would they strike the same hospital twice? Just sounds like an inside job to me. Personally, I feel that personnel issues are just as important as physical security and/or encryption, as 2 conspiring coworkers can quickly get around most any physical security. If I were this hospital, I would want some hidden cameras the employees did not know about recording 24/7 365 to an offsite location all employee interaction with computers.
Reply to this