Venyu Blog

With the media being flush with news of data leaks and data hacking all around, from Anonymous  and LulzSec to Wikileaks  and others (Conficker anyone?) you would think more of us would take data security seriously, at least from the point of encrypting every bit and byte that we store, being cautious when we transport that data in external hard drives or migrating data to the cloud. Especially when it comes to big-city hospitals. With hundreds of patients. That comes under the legislative lens of HIPAA and HITECH governance. That resides in the shadow of the most rigorous — and toughest — consumer and encryption-specific security data law in the land.

You would think that. But you’d be wrong.

Last month the Boston Globe reported that a doctor who works at Brigham and Women’s and Faulkner hospitals lost an external hard drive in June, and the computer device may have contained medical information for 638 patients.

According to the report information related to inpatient hospital stays from July 10, 2009, to Jan. 28, 2011, may have been on the device, including patient names, medical record numbers, dates of admission, medications, and information about diagnosis and treatment. The device did not contain Social Security numbers, insurance numbers, or other financial account information.

The doctor lost the hard drive June 21 while traveling in Mexico. But hospital officials said the physician had previously taken steps to delete patient information from the device, so the chances of information remaining on it are low. The Brigham would not identify the physician.

The hospital “takes the privacy and security of our patients’ information very seriously,’’ Sue Schade, chief information officer, said in a statement. “We are taking steps to reduce the risk of such events occurring in the future, including addressing the incident specifically with those involved, reviewing and augmenting our policies and procedures, and enhancing our training regarding technical safeguards required on external hard drives that may contain sensitive data, as well as limiting the amount of data stored on such devices.’’

She said the hospital has no knowledge anyone has used data on the device. However, the hospital is offering patients identity protection services.

“We apologize for any inconvenience and deeply regret any concern this situation may cause our patients,’’ Schade said.

Ok, Ms. Schade, you’re telling it the way you need to spin this—by the book, our humble apologies, here’s the phone number for the company we’ve retained for our identity management services, the credit service bureau we’ve contracted with, maxima mea culpa and what not. But what gets lost in translation here is what a doctor was doing in the first place with this hard drive of patient data while traveling in Mexico. Was he on vacation? Was he traveling there with the records of patients he was seeing there and wanted to have that data, in hand, as part of prior diagnoses by his colleagues and to set the table, so to speak, on an informed path for treatment?  

The other in-town newspaper, the Boston Herald reported the hard drive was lost on June 21, when the doctor, who worked for both hospitals, left the hard drive in a piece of luggage in a cab. That said it also doesn’t say, explicitly, whether the data contained on this drive was encrypted (which I doubt) and wonder whether the Massachusetts’s Attorney General’s office will be investigating this Breach as part of its own MASS 201 CMR 17 law.

According to varied news outlets I regularly use as sources there’s a general malaise in the IT community when it comes to the frequencies of data breaches like these, you know, the ones that reach the front page. A “Cry Wolf” mentality that says things aren’t always what they seem and besides, so long as the organization breached and the patients or customers have access to a credit reporting service, who’s really hurt?

I acknowledge that perspective, I really do, but honestly, by now data breaches like these should really be in our rear view mirror, especially those that originate internally or through human error. That’s the benefit of online encryption, like the kind offered by Venyu. Data is encrypted upon in-take, in flight, at rest and when it’s transferred back to you. That avoids any breach or theft either by external hackers or internal negligence. Like carrying a hard drive with patient records with you in a taxi on your way to some (badly-needed) R&R.

As I said when I titled this post, there are some things (in life or in IT for that matter) that you just have to learn the hard way. Count this data breach towards your overall total score-card Brigham and Women’s and Faulkner hospitals.