Chiropractic office notifies patients of break-in
Technorati Tag: Security Breach
Date Reported:
9/12/08 (letter to affected persons dated 8/1/08)
Organization:
Summer Avenue Chiropractic Clinic
Contractor/Consultant/Branch:
None
Location:
Memphis, Tennessee
Victims:
Patients
Number Affected:
Unknown
Types of Data:
"names, address, dates of birth and SS #'s"
Breach Description:
On July 10th, 2008 thieves broke into the office of Summer Avenue Chiropractic Clinic and stole the computers used to conduct business. According to the letter sent to the affected patients, the computers contained encrypted personal information.
Reference URL:
The Breach Blog was provided with a copy of the letter sent to an affected patient.
Report Credit:
A trusted friend and reader of The Breach Blog.
Response:
From the online sources cited above:
A copy of the letter can be found by clicking here.
I would like to inform you of an unfortunate occurrence that Summer Avenue Chiropractic clinic has had.
On July 10th, 2008 our office was broken into and our computers were stolen.
[Evan] Information security personnel should almost plan for stolen and lost computers.
There was personal information on these computers with names, address, dates of birth and SS #'s.
I was very much HIPPA compliant and the good thing is that everything was encrypted and had strong pass codes.
[Evan] Great! Now how about HIPAA compliant? The person who sent the notification letter to me expressed some doubt over whether or not Summer Avenue Chiropractic Clinic actually encrypts information. Later on in the letter (below), the Dr. Gangwish writes "don't hesitate to contact our office with ANY questions you may have." If people have doubts about the protections surrounding the personal information that belongs to them, I would encourage them to call and ask questions like; What type of encryption was used? What product was used? Do you have any proof that you can provide that the information was in fact encrypted? etc. After all, the information belongs to the patients.
I am asking that you keep a close eye [sic] your credit report over the next few months just for precautionary measures.
The police strongly believe that our office was not the target.
[Evan] Whether or not the office was originally the target of the break-in seems irrelevant. The fact of the matter is that the office was the target otherwise there wouldn't have been anything stolen from it.
Radio Shack next door was their target.
They came through our back door and tried to go up and over through the ceiling, but there was a fire wall between the two buildings, therefore, my office got the brunt of the damage.
[Evan] Good secure construction. If I owned a business that created, collected or stored sensitive information, I would establish an office where I was the only business in the building or in a building that was adequately segregated from other businesses. One of the segregation criteria would be walls that do not allow adjacent access. Check this when evaluating an office space for adequate physical security. Too often it is over-looked.
Three days later, they hit Radio Shack, their goal, and went through the back brick wall and got what they came for.
I am sorry for this inconvenience and if you have any questions regarding this matter, please don't hesitate to contact Erin at any time.
Her office hours are M-Th 8:30-4:00 and Friday's 8:30-12:00.
Again, please accept my deepest apologies and please don't hesitate to contact our office with ANY questions you may have.
Commentary:
To me, the telling sentence in this notification is "I was very much HIPPA compliant and the good thing is that everything was encrypted and had strong pass codes." I would want more information. I notice the word "was" which is past tense. I notice "HIPPA" which is really meant to be "HIPAA". I notice "everything was encrypted", which has been questioned.
Affected patients should certainly ask for more detail.
Past Breaches:
Unknown
Date Reported:9/12/08 (letter to affected persons dated 8/1/08)
Organization:
Summer Avenue Chiropractic Clinic
Contractor/Consultant/Branch:
None
Location:
Memphis, Tennessee
Victims:
Patients
Number Affected:
Unknown
Types of Data:
"names, address, dates of birth and SS #'s"
Breach Description:
On July 10th, 2008 thieves broke into the office of Summer Avenue Chiropractic Clinic and stole the computers used to conduct business. According to the letter sent to the affected patients, the computers contained encrypted personal information.
Reference URL:
The Breach Blog was provided with a copy of the letter sent to an affected patient.
Report Credit:
A trusted friend and reader of The Breach Blog.
Response:
From the online sources cited above:
A copy of the letter can be found by clicking here.
I would like to inform you of an unfortunate occurrence that Summer Avenue Chiropractic clinic has had.
On July 10th, 2008 our office was broken into and our computers were stolen.
[Evan] Information security personnel should almost plan for stolen and lost computers.
There was personal information on these computers with names, address, dates of birth and SS #'s.
I was very much HIPPA compliant and the good thing is that everything was encrypted and had strong pass codes.
[Evan] Great! Now how about HIPAA compliant? The person who sent the notification letter to me expressed some doubt over whether or not Summer Avenue Chiropractic Clinic actually encrypts information. Later on in the letter (below), the Dr. Gangwish writes "don't hesitate to contact our office with ANY questions you may have." If people have doubts about the protections surrounding the personal information that belongs to them, I would encourage them to call and ask questions like; What type of encryption was used? What product was used? Do you have any proof that you can provide that the information was in fact encrypted? etc. After all, the information belongs to the patients.
I am asking that you keep a close eye [sic] your credit report over the next few months just for precautionary measures.
The police strongly believe that our office was not the target.
[Evan] Whether or not the office was originally the target of the break-in seems irrelevant. The fact of the matter is that the office was the target otherwise there wouldn't have been anything stolen from it.
Radio Shack next door was their target.
They came through our back door and tried to go up and over through the ceiling, but there was a fire wall between the two buildings, therefore, my office got the brunt of the damage.
[Evan] Good secure construction. If I owned a business that created, collected or stored sensitive information, I would establish an office where I was the only business in the building or in a building that was adequately segregated from other businesses. One of the segregation criteria would be walls that do not allow adjacent access. Check this when evaluating an office space for adequate physical security. Too often it is over-looked.
Three days later, they hit Radio Shack, their goal, and went through the back brick wall and got what they came for.
I am sorry for this inconvenience and if you have any questions regarding this matter, please don't hesitate to contact Erin at any time.
Her office hours are M-Th 8:30-4:00 and Friday's 8:30-12:00.
Again, please accept my deepest apologies and please don't hesitate to contact our office with ANY questions you may have.
Commentary:
To me, the telling sentence in this notification is "I was very much HIPPA compliant and the good thing is that everything was encrypted and had strong pass codes." I would want more information. I notice the word "was" which is past tense. I notice "HIPPA" which is really meant to be "HIPAA". I notice "everything was encrypted", which has been questioned.
Affected patients should certainly ask for more detail.
Past Breaches:
Unknown
Posts Atom 1.0
Comments