Health Data Breaches Involving Unencrypted Devices ReportedDespite the Decline of Such Incidents, Recent Breaches Serve as Reminders of Risks
While health data breaches stemming from the loss or theft of unencrypted devices have nosedived in recent years, a handful of recent incidents serve as a reminder that these devices still can pose risks to patient data.
NYC Fire Department Breach
The FDNY says it's notifying nearly 10,300 patients who were treated and/or transported by the department's emergency medical services from 2011 to 2018 of the loss of an employee's personal unencrypted external hard drive last March.
"The employee, who was authorized to access the records, had uploaded the information onto the personal external device, which was reported missing," FDNY says in a statement.
"Although there is no evidence to date that any of the information stored on the personal device has been accessed, the FDNY is treating the incident as if the information may have been seen by an unauthorized person. FDNY has notified the impacted patients."
About 3,000 patients whose Social Security numbers may have been compromised as a result of the incident are being offered prepaid credit monitoring, the department says.
Renown Health Breach
Meanwhile, Renown Health reports that on June 30, an employee reported that a thumb drive containing patient information went missing.
"Our investigation determined that some patient information was contained on the thumb drive, which may have included patient names, medical record numbers, diagnoses, clinical information, dates of admissio, and physicians' names," Renown Health says.
The loss of the thumb drive affects only those patients that received inpatient services at Renown South Meadows Medical Center between January 1, 2012 and June 14, 2019, the organization states.
Renown Health did not immediately respond to an Information Security Media Group inquiry about the number of patients impacted by the incident.
As of Tuesday, neither the Renown Health nor the FDNY incidents had been posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals.
So far this year, only 16 incidents involving the loss or theft of unencrypted devices have been added to the tally. Those incident have affected a total of about 146,000 individuals.
That's a tiny fraction of the 276 health data breaches impacting nearly 33 million individuals that have been added to the tally this year. That's also a big decline from a few years ago, when the loss or theft of unencrypted devices was the most common cause of major health data breaches.
So far this year, the largest breach involving the loss or theft of unencrypted computing devices added to the federal tally was reported in January by Texas-based Las Colinas Orthopedic Surgery & Sports Medicine, which operates under the name All-Star Orthopaedics. The theft incident involving an unencrypted hard drive affected 76,000 individuals.
In a breach notice posted on its website, All-Star Orthopaedic says that on Nov. 20, 2018, it discovered a hard drive containing X-rays and other diagnostic images was stolen (see Health Data Breach Tally: What's New?).
By comparison, the largest loss/theft incident posted on the HHS website since September 2009, when federal regulators began the tally, affected 4.9 million individuals. That incident, involving the theft of unencrypted backup tapes, was reported in 2011 by Science Applications International Corp., a business associate of military healthcare program, Tricare.
While many healthcare entities and their vendors appear to have dramatically improved their encryption practices for mobile computing devices, such as laptops and storage media, risks involving this gear still lurk.
"In my opinion, most organizations have not purchased encrypted portable media - encrypted USB flash drives, jump drives, external drives, etc. - for their employees to use," notes Tom Walsh, president of consulting firm tw-Security.
Meanwhile, it's very common for healthcare organizations to permit use of personally owned devices and media for work, so organizations must take steps to mitigate the risks involved, says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"This goes beyond devices and media that directly connect to the organization's network," she says. "For example, organizations may require personal devices and media to be registered and to meet security configuration and use requirements. Note that encryption is only one security control, and there are many others."
For example, when an employee leaves an organization, they should be required to either present their devices for secure wiping or sign a certification that all organization software and data has been deleted, she says.
Also, training should be provided on the risks of using personally owned devices and media and the consequences of not following organization policy and standards, she adds.
In both the FDNY and Renown Health incident, the missing devices contained data for patients going back at least seven years. That also increases the risk, Walsh notes.
"Data should be purged once it is no longer needed," Walsh says. "Based upon my review of some of the largest data breaches reported to HHS, many could have been prevented if data had been properly sanitized or the media destroyed once it was no longer needed."
Organizations also should implement measures that help bolster the security of mobile computing and storage gear.
"Many organizations are using endpoint protection - such as their anti-virus software or a centralized enforcement control - that automatically encrypts at a file level any files, documents, spreadsheets, etc. that are transferred from a workstation to any type of portable media plugged into a USB port," Walsh says. "This also creates an audit trail of the data movement."
Some organizations have created Group Policy Objects - or GPO - rules through their Active Directory to enforce the use of certain types of encrypted USB drives, Walsh adds.
"USB drives have signatures - information about the device's manufacturer and the make/model of the portable memory device. Organizations are using this data to allow data transfers to encrypted USB drives issued by the company while blocking the data transfers to all other types of USB drives."