I cannot believe that after 23 years of HIPAA being a law, we are still having reports about laptops being stolen and potentially compromising sensitive information of 43,000 patients because the data is stored in UNENCRYPTED format!
In the letter released by Coplin Health Systems on December 29, 2017 (link to letter), they begin by stating they recognize the importance of protecting the confidentiality of their patient’s sensitive information. They also state that they took measures to reduce harm by disabling the employees account and that the laptop has not been used to access their IT network. I will elaborate on these points in the hope that this is a learning tool and not to bash Coplin Health Systems.
Since they are required by law to comply with HIPAA, the organization would have conducted yearly risk assessments. During this assessment, someone would have noticed that an employee laptop containing patient information would potentially be taken out of the office and would need to be protected. This would have led to someone either creating a policy for the employees prohibiting laptops from being taken out of the office, encrypting the hard drives, and adding more security like BIOS and hard drive passwords.
We know having a yearly risk assessment can be a pain, but it can save your organization from making the 6 o’clock news and sizeable fines. In this case think $150 times 43,000 records as a potential fine plus having the Feds come in to put together a remediation plan.
The employee did the right thing by contacting the authorities right away. However, think about this, whoever stole the laptop now knows that there are 43,000 PATIENT RECORDS unencrypted on this laptop! They know this laptop has very valuable data. It doesn’t take a rocket scientist to figure out the next steps…they will get into the drive and see what they can do with the data. If they run into the right criminal, the data will show up on the Dark Web for sale sometime in the future.
We have helped different clients with data recovery, password changes when they forget it or lose it and I can tell you that whoever got this laptop can easily gain access to the drive. All that is needed is a simple tool and access to the laptop. The only hope is that the files are inside a program that is password protected and codes the records into something unusable.
Their IT department did the logical thing by disabling the end users account and protecting access to their network, but the gold is already out of the building. Whoever has the laptop does not need to get into their network if they can sell the data for as little as $35 per record (that would be a potential windfall of $1.5 MILLION on the Dark Web).
It would be a very different conversation if their press release started with their commitment to protecting patient’s sensitive information and had policies in place that were enforced and had set up a BIOS password, hard drive password and encrypted drive. Then a reasonable person would think that they truly were committed to protecting information.
Please do not be the next news story. Let us be a resource to help identify areas of concern. Risk Assessments are required by law and the firms that do not perform even a basic one are putting their livelihoods at risk of being deemed negligent and subject to hefty fines.
Call my office at 512.336.2970 x102 or fill out our form at www.TheCriticalUpdate.com/cybersecurity to schedule a call and explore what makes sense for your firm. We are here to help as little or as much as you want.
There are a number of services that you can choose from, such as:
- Security Awareness Training;
- Lunch and learn training at your location;
- Reviewing the findings of a self assessment (yes, you can do it yourself);
- Implementing equipment to manage cybersecurity protection to your data;
- Web filters, advanced threat protection and encryption;
- Replacing old systems that are vulnerable;
- Implementing an affordable cybersecurity bundle for your small firm (www.TheCriticalUpdate.com/subscription);
- Implementing a custom managed IT services plan.
Let’s have a conversation and truly take steps to show you understand the importance of protecting the confidentiality of your client’s sensitive information.
Ps – We also have resources to protect clients who have had their data compromised, if you have received a letter from a provider that was breached, there are tools that you can implement as well.
Luis Delgado is a father, husband, community resource, speaker, and entrepreneur who founded The Critical Update, inc (TCUINC) in 2003. TCUINC is a business and technology consulting firm that has evolved from basic computer support to affordable technology consulting, network management, outsourced IT and cybersecurity. Our clients are from every industry in Central Texas - for profit and not for profit.
Luis is focused on helping business owners create more jobs for Texas families by addressing compliance and productivity needs.