Lost DVD affects over 11,000 pharmacy patients
|
Date Reported:
8/4/10
Organization:
Contractor/Consultant/Branch:
McKesson Pharmacy Systems
Location:
Undisclosed, lost/stolen in transit
Victims:
Patients
Number Affected:
"approximately 11,440"
Types of Data:
Personal information, including "names and in some instances social security, health care and driver’s license numbers, as well as prescription information"
Breach Description:
Walsh Pharmacy has notified the New Hampshire Attorney General as well as local news outlets about a breach involving a lost/stolen DVD that contained sensitive personal information belonging to the pharmacy's patients.
Reference URL:
New Hampshire Attorney General breach notification
The Herald News
Report Credit:
New Hampshire Attorney General
Response:
From the online sources cited above:
FALL RIVER — Customers of a neighborhood pharmacy are being warned to take measures against identity theft after a DVD containing personal information went missing.
[Evan] There is no mention of whether or not the information was encrypted. Usually if there is no mention of encryption, it wasn't used. Shipping information on any type of removable media (flash drives, CDs, DVDs, USB hard drives, etc.) without encryption is often a very bad idea. I can understand how a small organization like Walsh Pharmacy may not know these things, but what excuse would McKesson make? Read on.
The warning affects pharmacy patients of Walsh Pharmacy, 202 Rock St.
Regular customer information was not compromised.
[Evan] Just the irregular customer's information was compromised? ;)
According to a legal notice in The Herald News on Thursday, the breach comes after a DVD containing prescription and other information mailed on June 3 by McKesson Pharmacy Systems — a business associate systems vendor for Walsh Pharmacy — containing prescription and other information was not received at the pharmacy.
A sealed envelop (sp) that was supposed to contain the DVD was received at Walsh Pharmacy on June 5, but was empty and there was no evidence of tampering.
[Evan] So are we safe to assume that the DVD never made it to the envelope? Many companies are implementing CCTV camera coverage in shipping/delivery areas to aid in the investigation of events occurring in these areas. CCTV may have provided evidence as to whether or not the DVD actually made it into the envelope. Of course it is possible (and even likely) that non-shipping/delivery personnel packed (or didn't pack) the envelope.
The DVD contained personal information of pharmacy patients, including names and in some instances social security, health care and driver’s license numbers, as well as prescription information.
No credit or debit card, or bank account numbers were on the DVD.
[Evan] I would rather lose credit/debit card and/or bank account information. It's easier to get this information changed.
Attorney Paul Garbarini said approximately 11,440 people in six or seven states were notified of the breach in letters sent Wednesday.
“The best belief of the company, and they tore their place apart and found nothing, is that the disk was probably compacted and shredded, as they do with any information that contains personal information,” Garbarini said.
[Evan] We can only hope, eh? People want assurance though.
Owner Tom Pasternak said the notification, which also offers patients two free years of credit monitoring service, was done out of an abundance of caution.
[Evan] Abundance of caution? An abundance of caution would have been to send confidential in a more secure manner. How will credit monitoring help against someone who will use the medical information against a victim?
Anyone who has questions about the breach is asked to call 1- and refer to No. 2359080410 when prompted anytime between 8 a.m. and 5 p.m., Monday through Friday.
“I did this because I want to their interests more than anyone else’s,” Pasternak said. “Personally, I don’t think anyone has anything to worry about, but I just wanted to take this precaution. I’m extremely confident no data got breached.”
[Evan] This reminds me about a post that I am planning to make soon. What is a breach, anyway? Stay tuned.
Pasternak and Garbarini said the information is also protected through the use of multiple passwords and can only be opened on a specific operating system.
[Evan] This is interesting, and this could be adequate to prevent unauthorized access to the data. I don't have enough detail.
“You’d have to be a computer whiz to get at that language,” Garbarini said.
[Evan] I wouldn't rely too much on this. What may be a "computer whiz" to Mr. Garbarini may be a novice to others.
Garbarini said precautions have also been taken to ensure a similar scenario fails to play out in the future. He said the information will no longer be sent via mail, and instead sent through a secure e-mail system.
[Evan] Hey, there you go! More secure and more efficient. Too bad it took a breach to move in this direction.
“I don’t know what else to say besides ‘I’m sorry,’” Pasternak said.
[Evan] Wouldn't it be nice if more people were honest like this? I respect this.
Commentary:
We run into behavior like this too often. There are free tools available to encrypt sensitive data stored on removable media and you don't have to be a "computer whiz" to use them. I can't think of any good excuse. Even though Mr. Pasternak doesn't believe that the data was or will be compromised, he has still incurred real costs as a result of the lost DVD.
Past Breaches:
Walsh Pharmacy - Unknown
McKesson - 68,767 Patients Affected by McKesson Stolen Computers
Posted by Evan Francen at 8/19/2010 4:11 PM 
Categories: McKesson Pharmacy Systems, Walsh Pharmacy, Lost Media
Categories: McKesson Pharmacy Systems, Walsh Pharmacy, Lost Media
Posts Atom 1.0
OMG! I know at least 100 junkies in Memphis who would kill somebody for that DVD. DEA numbers, oxycontin, etc.; hell, they would be willing to kill several people. What is wrong with these people and lack of encryption?
Reply to this
Good point. People seem to forget that there is a real market for stolen information with real crooks looking for opportunities.
For some reason there still seems to be a general lack of understanding about encryption. People hear the word and almost shun away thinking it may be too complicated. In actuality, encryption basics are very easy to understand and many tools are very easy to use. We (FRSecure) will continue to work day after day to educate businesses, and hope that we are making a difference.
Reply to this