Cooper University Hospital flash drive with personal info goes missing
|
Date Reported:
7/27/10
Organization:
Cooper University Hospital
Contractor/Consultant/Branch:
None
Location:
Victims:
"graduate medical education residents and fellows for the current and prior academic years"
Number Affected:
Undisclosed
Types of Data:
Personal information including "Social Security numbers, addresses, and phone numbers"
Breach Description:
"A thumb drive that contained personal data about current and past graduate medical education residents and fellows at Cooper University Hospital has gone missing. Hospital sources tell Action News the thumb drive went missing on July 8th."
Reference URL:
Channel 6 Action News
The Courier-Post
Report Credit:
Katherine Scott, Channel 6 Action News
Response:
From the online sources cited above:
CAMDEN, N.J. - July 27, 2010 (WPVI) -- A thumb drive that contained personal data about current and past graduate medical education residents and fellows at Cooper University Hospital has gone missing.
Hospital sources tell Action News the thumb drive went missing on July 8th.
Last Friday the hospital reported the incident to the NJ State Police Cyber Crimes unit and Tuesday to Camden Police who are now looking into the potential security breach.
[Evan] This is not a "potential" security breach. It IS a security breach.
"We are going to investigate to see if it was stolen or lost property," said Lt. Jason Pike.
Stolen or lost, both scenarios are cause for concern according to Drexel University's Robert D'Ovidio, Ph.D. because you cannot be absolutely certain the information won't fall in the wrong hands.
[Evan] We can never be "absolutely certain" that information won't be compromised, but we reduce risks wherever its appropriate to do so. Using unsecured flash drives to store sensitive information is certainly a risk that is unacceptable to most organizations (and regulators).
It's information that hospital sources say includes Social Security numbers, addresses, and phone numbers.
"That data is a goldmine for lines of credit in your name," said D'Ovidio.
Making matters worse, the hospital source tells Action News the data on the thumb drive was not secure.
[Evan] I suppose meaning that the drive was not adequately secured with encryption (and good password/key management).
Cooper refused an interview but released the following statement:
"Cooper University Hospital is investigating the circumstances surrounding a missing thumb drive.
The thumb drive contained information with personal data about graduate medical education residents and fellows for the current and prior academic years.
We have advised the residents and fellows who were advised to contact their local police.
[Evan] Huh? Cooper University Hospital has advised that the victims contact their local police?! What are the local police going to do? Take a report, maybe.
No other employee information was compromised.
Further, No patient information or records were compromised.
[Evan] Thank God. If storing sensitive information on unprotected flash drives is permitted by the hospital, I suppose it's only a matter of time before patient records are included. Too much of a stretch?
The incident was reported to the New Jersey State Police Cyber Crimes Unit on Friday, July 23 as per the state notification procedure.
The hospital is conducting a thorough investigation and has initiated an aggressive plan to protect any personnel who could be affected by this potential security breach."
[Evan] Again, this is not a "potential security breach". It is a breach.
It's still early in the investigation, but Camden police say they will be reviewing security tapes to see if that will shed some light on what happened to that drive.
Commentary:
The use of removable media must be addressed in an organization's information security policy(ies). If the organization deems that it is necessary to use flash drives (or other removable media) to conduct business, then it must account for the risk of unauthorized information disclosure through the loss and/or theft of these devices. One possible solution to reduce risk is encryption. The majority of organizations that we (FRSecure) have worked with lately are prohibiting the use of removable media altogether.
Here is an interesting analysis. Consider this; we can buy a 32 GB flash drive for less than $90. 1 GB is enough space to store over 4 million names and Social Security numbers (given an average 11 digit name). 32 GB could easily store the names and Social Security numbers of every single United States citizen alive today (a couple times over).
Past Breaches:
Unknown
Posts Atom 1.0
Comments