Device Robbers Demand Encryption KeysBrigham and Women's Hospital Reports Thefts From Physician
Technically savvy armed robbers who stole an encrypted laptop and smart phone from a physician who works at Brigham and Women's Hospital in Boston demanded that the doctor reveal the devices' passwords and encryption keys as well.
The armed robbery took place off the hospital campus at an undisclosed location on Sept. 24, according to a statement from the hospital, which is operated by Partners Healthcare.
"During the robbery, the assailants forced the victim to disclose the passcodes and encryption keys to these devices. Possession of the passcodes and encryption keys, along with the devices themselves, could provide an individual the ability to view information stored on the laptop or cell phone," the hospital notes.
Brigham and Women's says it immediately reported the crime to the Boston Police Department. "We do not know if the information on these devices has been accessed. To date, neither the laptop nor the cell phone has been recovered," the hospital says.
An investigation has determined that the data contained on the devices included information on about 1,000 patients who received treatment at the hospital's neurology and neurosurgery programs between October 2011 and September 2014, as well as a small number of individuals participating in research studies, the hospital reports. The data on the devices included patient names or partial names, and may also have included one or more of the following: medical record number, age, medications, and information about diagnosis and treatment.
"Although BWH has no indication of any misuse of this information, BWH began sending letters to potentially affected patients on Nov. 17, 2014," the hospital says.
Brigham and Women's did not respond to Information Security Media Group's request for additional information about the incident.
Lost or stolen unencrypted devices are the No. 1 cause of breaches listed on the Department of Health and Human Services' "wall of shame" of HIPAA breaches affecting 500 or more individuals. But this breach case, involving encrypted devices, is unusual.
"An armed robbery is, in itself, a unique incident as compared to other breaches, particularly with the added element of the robbers demanding passcodes and encryption keys," says Dan Berger, CEO of the security consulting firm Redspin. "We've seen many stolen devices result in reportable breaches in the past, but in most cases, one could assume that the thieves were more interested in the device than the information on it. This is certainly an indication of the realization that PHI is of great value - to risk an armed robbery for a laptop and phone alone tells me these guys really wanted the data."
Although the two devices stolen from the physician were encrypted, "this is a reportable incident to [HHS] because a risk analysis would conclude that the likelihood of information being disclosed is quite high," he says. "It is really difficult for organizations to protect themselves against this kind of risk, although remote wiping technology is one possible solution. Nonetheless, it is a stark reminder of the risk of having PHI on portable devices."
Another potential defense against these types of attacks would be to use "encrypted hidden containers using separate keys and passwords stored on the encrypted device," says Dublin-based information security consultant Brian Honan, who heads Ireland's computer emergency response team. "This means that even if an attacker managed by stealth or coercion to get the user's encryption keys and password, the data is still hidden and protected on the device. Of course this assumes the attacker does not know how to look for and discover those hidden containers."
According to the HHS "wall of shame," Brigham and Women's has had two other breaches involving stolen computing equipment. That includes the 2011 theft of an unencrypted portable computing device resulting in a breach affecting 638 individuals and a 2012 theft of an unencrypted desktop computer that affected 615.
(Mathew Schwartz, managing editor Europe, contributed to this story.)