Incident & Breach Response , Managed Detection & Response (MDR)
Laptop Theft: Are These Breaches Becoming Rarer?
Device Stolen from Indiana Clinic; May Be Largest Such Breach This YearThe recent theft of a laptop from a locked administrative office of an Indiana-based physician group practice may be the largest breach involving the loss or theft of an unencrypted computing device reported so far this year.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
But such incidents have been reported less frequently so far in 2016 than they were during the same period last year, according to the Department of Health and Human Services' "wall of shame" tally of major health data breaches. And that leads some security experts to express cautious optimism that progress is being made in wider adoption of encryption for portable devices.
Premier Breach Details
In a March 8 statement, Premier Healthcare, a multi-specialty group practice in Bloomington, Ind., said the theft of the laptop from a locked billing department office, which was also secured with an alarm, was discovered by staff members on Jan. 4. The laptop contained protected health information of almost 206,000 individuals.
"Emails stored on the hard drive on that laptop contained some screenshots, spreadsheets and PDF documents that were used to address billing issues with patients, insurance companies and other healthcare providers," the statement says.
The documents contained various combinations of patient demographic information, such as name, address, date of birth, medical record number, insurance information, and/or some clinical information for all the affected individuals. However, for 1,769 of those individuals, Social Security number and/or financial information could also potentially be accessed on the laptop, Premier says.
"There is no evidence to believe that the information on the laptop was the target of the theft or that any of that information has been accessed or used for fraudulent purposes," the practice says. "Premier took immediate steps to investigate and attempt to recover the laptop. A police report was filed, and patients are being notified. Unfortunately, to date neither Premier nor law enforcement has been able to locate the stolen laptop or identify the perpetrator."
Premier says it has taken a number of steps to help prevent similar incidents, including beginning the process of encrypting all of its computers and reviewing its processes and protocols.
Where Does Breach Rank?
Once the HHS Office for Civil Rights confirms the details of the Premier incident, it has the potential to become the largest incident added to its breach tally this year involving lost or stolen unencrypted computing devices or storage media.
A March 9 snapshot of the wall of shame, which lists breaches affecting 500 or more individuals, shows only four other incidents reported since Jan. 1, 2016, involving lost or stolen unencrypted computing devices or storage media. The largest of these breaches involved a laptop computer stolen from Kansas-based healthcare provider Valley Hope Association. That incident, reported on Feb. 26, affected 52,000 individuals. The Valley Hope Association incident, when combined with the three other breaches involving unencrypted devices added to the wall of shame so far this year, affected a total of about 114,000 individuals.
By comparison, from Jan. 1 to March 9 in 2015, there were 11 breaches added to the wall of shame involving unencrypted devices. Those breaches affected a total of almost 162,000 individuals.
Signs of Progress?
The fact that fewer major breaches involving lost or stolen unencrypted devices have been reported so far this year may be a sign of progress, some security experts say.
"Certainly progress has been made over the years in the encryption of portable computing devices containing protected health information," says Dan Berger, CEO of the security consulting firm Redspin. "Yet as this [Premier] incident shows, it only takes one unencrypted device to cause a major incident."
Some organizations still fail to encrypt because they're willing to take the risk, or fail to understand why encryption is critical to protecting PHI on portable devices that are prone to loss or theft. "There is a human tendency to think 'it won't happen to me.' But ultimately it comes down to lack of process," Berger says. "Portable devices that contain PHI should be encrypted - period. It is the organization's responsibility to put that process in place and enforce it."
Privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group, says that too often, smaller healthcare entities neglect to encrypt devices or take other security precautions to safeguard PHI.
"This type of organization [Premier] - a 'physician-led multispecialty provider healthcare group' - continues to lag behind hospitals, and typically lacks a robust security program, including even basic steps such as encrypting all laptops," she notes.
"Laptops and any other portable computer devices and media are automatically at higher risk of loss and theft than non-portable equipment. An information security program, including a risk assessment as required by HIPAA, should recognize that heightened risk and take steps to mitigate it, one of the most common strategies being encryption," she says.
As of March 9, of the 1,485 major breaches that have been listed on the wall of shame since September 2009, affecting a total of 155.4 million individuals, roughly 40 percent, have involved lost or stolen unencrypted computing devices.
Hacker Attack Worries
Despite so many incidents involving unencrypted devices, Berger says there are even bigger threats to PHI for healthcare organizations and business associates to be worried about these days.
"The more pressing concern remains targeted hacking attacks," he says. "A thief might steal a laptop because he or she wants the laptop without regard to what data is on it. A hacker is generally after the personal data itself and is thus more likely to use it for identity theft or other fraudulent purposes."
Although only about 11 percent of the breaches on the wall of shame involved hacking, those incidents affected 115.6 million individuals, or 74 percent of the total number impacted by all the breaches on the tally.
In 2015 alone, 56 hacker breaches were added to the federal tally. The largest, by far, was the cyberattack on health insurer Anthem Inc., which affected nearly 79 million individuals (see Lessons from 2015's Top Health Data Breaches).
So far in 2016, five hacking incidents have been added to the tally, affecting a total of almost 54,000 individuals.
Not yet added to the tally is a major hacker attack recently reported by 21st Century Oncology. The Florida-based chain of cancer treatment centers, in a March 4 Securities and Exchange Commission filing, said it has begun notifying 2.2 million individuals of a cyberattack that potentially compromised their PHI.