Car Burglars: A Major Breach Threat

Yet Another Incident of Stolen Storage Media
Car Burglars: A Major Breach Threat
Yet another breach incident involving the theft of computer storage media from a vehicle was added to the official federal tally of major health information breaches this week.

In this incident, which dates back to July, a hard drive containing information on more than 63,000 patients was stolen from the car of an employee of the Neurological Institute of Savannah in Georgia. The drive contained information on patients treated between Jan. 1, 2006, and July 2, 2011, according to a statement on the institute's website. The information included names, Social Security numbers, addresses, dates of birth, telephone numbers and billing account data, but no financial data or medical records.

Two of the largest breaches reported in recent months have involved similar circumstances. For example, in the largest breach incident reported since the HIPAA breach notification rule took effect in September 2009, TRICARE, the military health program, reported 4.9 million beneficiaries were affected when unencrypted computer backup tapes were stolen from the car of a business associate's employee. And in an earlier incident, New York City Health and Hospitals Corp. reported unencrypted backup tapes containing information on 1.7 million individuals were taken from the truck of a business associate.

The Neurological Institute says it's working with local police in an attempt to identify the thief and recover the items stolen. "We have also modified our security procedures to eliminate any loss or potential breach of this nature in the future," according to the institute's statement.

"Although parts of the data were encrypted, password-protected and randomly stored, there is a possibility your data could be accessed by an unauthorized individual," the statement to affected patients says. So far, there is no evidence the data has been used inappropriately, and police believe the thief "likely was not trying to steal data," the statement adds. Rather than offering free credit monitoring services, the institute is advising those affected to place a fraud alert on their credit reports.

Security consultant Rebecca Herold advises healthcare organizations to encrypt all backup media and take other security precautions, as outlined in a recent blog.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network