Offsite data destruction and lack of encryption play role in South Shore Hospital breach
|
Date Reported:
7/19/10
Organization:
South Shore Hospital
Contractor/Consultant/Branch:
Location:
Victims:
"patients who received medical services at South Shore Hospital – as well as employees, physicians, volunteers, donors, vendors and other business partners associated with South Shore Hospital – between January 1, 1996 and January 6, 2010"
Number Affected:
"approximately 800,000"
Types of Data:
"individuals’ full names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information. Bank account information and credit card numbers for a very small subset of individuals also may have been on the back-up computer files"
Breach Description:
"Back-up computer files containing personal, health and financial information of thousands affiliated with South Shore Hospital may have been lost by a professional data management company."
Reference URL:
South Shore Hospital IMPORTANT INFORMATION notice
WCVB Channel 5 News
The Boston Globe
eWeek
Report Credit:
South Shore Hospital
Response:
From the online sources cited above:
South Weymouth, Mass. – South Shore Hospital today reported that back-up computer files containing personal, health and financial information may have been lost by a professional data management company.
[Evan] There is no mention of encryption being used to protect the information. On the "Answers to Questions" page set up by the hospital, look at question "7. Were the back-up computer files encrypted?" Seems like a yes or no question doesn't it? The hospital's answer is "These particular back-up computer files were scheduled for destruction because they were in a format the hospital no longer uses and because the back-up process did not allow for these files to be encrypted. However, specialized software, hardware, and technical knowledge and skill would be required for someone to access and decipher the information." So the real answer is NO. I usually don't buy into the whole "specialized software, hardware, and technical knowledge and skill" argument because it is subjective and unspecific. This information should have been encrypted.
The hospital had engaged the company to destroy the files because they were in a format the hospital no longer uses.
The hospital has no evidence that information on the back-up computer files has been accessed by anyone.
An independent information-security consulting firm has confirmed that specialized software, hardware, and technical knowledge and skill would be required to access and decipher information on the files.
[Evan] OK. What is specialized software? Commercially available backup software like BackupExec or CommVault? Specialized hardware like a tape drive? Specialized technical knowledge and skill like being able to plug something into a wall socket, connect a few cables, turn things on, and install software? I am only guessing.
Based upon South Shore Hospital’s investigation so far, the back-up computer files could contain personally identifiable information for approximately 800,000 individuals.
Included among those individuals are patients who received medical services at South Shore Hospital – as well as employees, physicians, volunteers, donors, vendors and other business partners associated with South Shore Hospital – between January 1, 1996 and January 6, 2010.
The information on the back-up computer files may include individuals’ full names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information.
[Evan] Wow! This is a boatload of sensitive information. A identity theft bonanza.
Bank account information and credit card numbers for a very small subset of individuals also may have been on the back-up computer files.
South Shore Hospital’s back-up computer files were shipped for offsite destruction on February 26, 2010.
[Evan] Here is a good tip. All storage devices and/or media containing sensitive information must be encrypted at all times whenever they are outside of a restricted, physically secure area. Data at rest encryption is a control that must be applied whenever there is a significant risk of lost physical control (loss and/or theft). Here's another good tip; use onsite media and hard drive destruction. Check out our partners at RenovoData Services to see what I mean.
When certificates of destruction were not provided to the hospital in a timely manner, the hospital pressed the data management company for an explanation.
South Shore Hospital was finally informed on June 17, 2010 that only a portion of the shipped back-up computer files had been received and destroyed.
[Evan] Why do you suppose the hospital refuses to mention the name of the "data management company"?
South Shore Hospital immediately launched an investigation when it learned that its back-up computer files may have been lost.
The investigation has included working with the data management company and shippers to search for the missing back-up computer files, taking steps to verify the scope and types of information contained in the back up computer files, and assessing the possibility that someone could access that information.
[Evan] Who are the "shippers"? I hope it wasn't your standard FedEx or UPS shipment.
South Shore Hospital has advised the MA Attorney General’s office, the MA Department of Public Health, and the US Department of Health and Human Services about this matter.
The hospital also has ceased the offsite destruction of back-up computer files and is putting in place policies to ensure that a similar situation cannot occur.
[Evan] Good idea because this one incident could get expensive. It stinks that the organization could not have been more proactive. I read somewhere that reactive information security is seven (7) times more expensive than proactive information security; on average. According to some estimates and research, a data breach related to personal information costs as much as $202 per record. The potential loss then could be as much as $161,600,000. The cost of adequate preventative control would have been what? Maybe a few thousand dollars. What would you decide is better?
The investigation into the matter remains ongoing.
“I am deeply sorry that these files may have been lost,” said Richard H. Aubut, South Shore Hospital president and chief executive officer. “Safeguarding confidentiality is fundamental to our mission of healing, caring and comforting. I recognize that this situation is unacceptable and would like to personally apologize to all those who have trusted us with their sensitive information.”
[Evan] The fact that a president and CEO addresses the situation personally demonstrates a level of involvement and commitment on the part of the hospital. This was a good call.
South Shore Hospital is working to verify whose information may have been on the missing back-up computer files.
Formal notification letters will be sent to them in the next several weeks. In the meantime, a sample individual notification letter has been posted
While there is no evidence that information on the back-up computer files has been improperly accessed, individuals may take steps to protect themselves, such as obtaining a free credit report, which can be done by visiting www.annualcreditreport.com or calling toll free, or placing a fraud alert on their credit report with one of the three major credit reporting agencies (Equifax, Experian and TransUnionCorp).
[Evan] At this point in time it appears as though the hospital is not offering any free service which is typically more of a goodwill gesture than anything else.
Information about this matter is posted to South Shore Hospital’s website at www.southshorehospital.org and is available through a special automated toll-free Information Line at .
Commentary:
Again. Any and all sensitive information sent offsite on any form or media should be encrypted using strong encryption. Information stored on media is classified as "data at rest". Properly applied and managed encryption is an adequate mitigating control against unauthorized information disclosure through the physical theft or loss (compromise) of storage media. This is not a new concept and not a new type of breach. If your organization uses backup tapes, flash drives, laptops, or any other type of storage media that may (has the potential to) store sensitive information AND has the potential of being used or transferred outside of your organization's physical boundaries and control, you had better include encryption of this media in your information security strategy. There is really no good excuse for the organizations that fail to do so.
Another note. Secure data destruction is a very good thing. We recommend using a reputable destruction company with good references. Another process that could have avoided this particular breach would be the implementation of onsite data destruction. In onsite data destruction, the destruction company comes to you and destroys the media on your site. Again, check out RenovoData Services , and tell them Evan sent you!
Past Breaches:
Unknown
Posts Atom 1.0
I have a few criminal clients who sure would like to get their hands on this treasure trove of information. I bet you it would not take them an hour to acquire the "specialized equipment and knowledge" necessary to utilize this missing data.
Reply to this