Breach Incident Triggers Encryption

4,000 Youths Affected by Hard Drive Theft
Breach Incident Triggers Encryption
An Illinois childcare agency has articulated a revised security policy, including the use of encryption, in announcing a breach involving the apparent theft of three unencrypted back-up portable hard drives.

Maryville Academy in suburban Chicago says in a statement on its website that it discovered on Feb. 1, 2011, that the secondary back-up portable hard drives containing information on nearly 4,000 children and adolescents who received services at the academy had been removed from a locked room. The breach occurred between Jan. 25, 2011, and Feb. 1, 2011, and affected those who were served between 1992 and 2011.

Information on the drives included some Social Security numbers as well as names, dates of birth, Department of Children and Family Services identification numbers, and historical information on children and their families, including treatment plans, medications and reports on behaviors. The academy says it has no evidence that anyone has attempted to access, use or disclose the data.

In a much more detailed report of its actions in the wake of the breach than has been provided after many other recent incidents at other organizations, the academy states:

"All data security policies and procedures have been reviewed and updated, including the maintenance of back-up hard drives. To protect against any future breaches, Maryville Academy has changed the location of its local site and the manner for storing any back-up hard drives and has upgraded the security for this purpose.

"In addition, Maryville Academy is now in full compliance with the U.S. Department of Health and Human Services' recommended procedure of using data encryption to protect clients' health information. Maryville Academy has begun a practice of using specialized security software to completely encrypt all the records on these back-up hard drives. This encryption software scrambles the data on the back-up hard drives, which makes the information unusable in the event they are ever lost or stolen in the future."

The incident is not yet listed on the HHS Office for Civil Rights' list of major healthcare information breaches. Under the HITECH Act breach notification rule, all breaches must be reported to OCR and the individuals affected. Major breaches, those affecting 500 or more individuals, must be reported to OCR within 60 days, while smaller incidents can be reported annually.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.