Slashdot Mirror

← Back to Stories (view on slashdot.org)

Medical Data on 365,000 Patients Stolen

Posted by CowboyNeal on from the bandwidth-and-station-wagons dept.

Anonymous writes "Backup tapes and disks with data on 365,000 patients were stolen out of the car of a worker at a healthcare company in Portland. According to this Computerworld story, the tapes were in his car because he took them home as part of a disaster recovery plan, to protect the information from fire and other on-site disasters. D'oh!"

10 of 226 comments (clear)

  1. Well, the question is ... by ScrewMaster · · Score: 5, Insightful

    do they have a recovery plan for this disaster?

    --
    The higher the technology, the sharper that two-edged sword.
  2. Why is anyone allowed to take the records? by hsmith · · Score: 1, Insightful

    I mean, that has to be violating health care laws, the individual taking patient records home, even if they are in some propietary format. That can't be legal at all, due to patient confidentiality, ect. I hope something serious comes from this.

  3. OK by 42Penguins · · Score: 3, Insightful

    Cue the "bandwidth of a station wagon of backup tapes" cliches? If it's stuff they really don't want stolen, why not buy a safe for his car? Better yet, give him a company truck/van with secure storage. If they have 365,000 patients (customers) then they can surely afford to protect their information.

  4. Re:hmmm by OgreChow · · Score: 2, Insightful

    I could be wrong, but I don't think there are a lot of 100 degree days in Portland.

  5. Much worse! Data really on disks! by SuperKendall · · Score: 4, Insightful

    It took me a minute to decypher that cyrptic comment, but look at these two parts from the article together:

    In an announcement yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data were on several disks and tapes stolen from the car of a Providence employee at his home. The incident was reported by the employee on Dec. 31, according to the health care system.
    The data on the tapes was encrypted, Walker said. The data on the disks was in a proprietary file format that was not encrypted, but "is stored in a way that would make it difficult, if not impossible, for someone to access it, then make any sense out of it," he said.

    So think about it - Tapes AND Disks were stolen (at first I had thought it was just tapes). The hard to read media (tapes) were encrypted. But it doesn't matter, chuck 'em in the river because the DISKS (fasr easier to read by any fool with a computer) have data that is in a format that is just "hard to read"!!

    Give me five minutes with Emacs and/or a Hex editor and/or Strings and I'll bet I could start churning SSN's out of the files right quick! I don't care if they are ISAM or DB2 or Pig-Latin! Security by file format obscurity is zero security, that data has to be treated as widely known at this point.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  6. Sounds a bit sketchy... by TheNoxx · · Score: 2, Insightful

    $20 says the worker is the one that "stole" the tapes. Who randomly walks up to a car and says "Oh look! Patent info! I'll take this home right away and start using my cryptography techniques to unlock it right away!"

    --
    Ex nihilo nihil fit.
  7. Re:I Live In Fear of This by good+soldier+svejk · · Score: 2, Insightful

    To be fair, I have a medium term solution inthe pipe and there is budget for it. Rather than wait for the DR datacenter project to mature, we will pursue tape elimination and replicate the backup over the wire. Basically we are going to go with a content addressable disk backup target. Something like Data Domain. It still has no value from a DR perspective, but it eliminates the HIPAA exposure and restore latency. It alsogetsw us out of the tape management business (yay!). Basically we replace tape with CAS and replicate the CAS box to a second one in another site. The second site does not have to be a full data center, only meet minimal standards. That will get me by until the DR project comes to fruition. Right now we are reviewing possible target.

    --
    It is cowardly, and a betrayal of whatever it means to be a Jew, to act as a white man

    -James Baldwin
  8. Re:No problem by Anonymous Coward · · Score: 1, Insightful
    Most offsite backups are encrypted anyway.

    Upon what are you basing this statement?


    I can tell you, from first-hand experience, that the majority of companies do *not* encrypt their backup data. I could (but won't) name a dozen Fortune 100 companies that I know for a fact don't encrypt backups. I could (but won't) name dozens of Fortune 500 companies that don't. I could (but won't) name dozens of health-care companies/organizations that don't.


    Why don't they? It's freakin' expensive. The argument can be made that losing data (like this) can be a lot more expensive (and I'd agree whole-heartedly), but getting the bean-counters to recognize that is a lot harder.


    Encrypting the backups for one or two systems is pretty easy. The software is readily available, and the processing overhead is easily managed on a couple of boxes. Encrypting the enterprise is much harder. Either you try and manage keys and processor overhead on a few thousand systems, or you go with SAN devices to do the encryption... which ain't cheap.


    Trust me, I architect solutions like this for a living. It's expensive. Really, really expensive.

  9. Re:Absurd by Anonymous Coward · · Score: 2, Insightful

    Show me the place where HIPAA says you can't send medical information over the internet...

    And if you can (which you can't) you will find that every state health agency in the country, most federal agencies, and most hospitals and health care providers are in violation.

    HIPAA only requires you to make every possible effort to protect data. Protection can include things like encryption and tunneling, all the way down to privacy screens and closed office doors.

    Nothing about not using the internet...

  10. Off Site by Anonymous Coward · · Score: 1, Insightful

    This why there are companies that specialized in off site back ups.
    1) Make back ups
    2) Pay company to pick up the DLT's
    3) Tapes get dropped off to secure facility.

    Some companies that come to mind are
    a) Iron Mountain
    b) IG2

    Hell, if there is a problem; they will come back to your shop in a couple of hours with the tapes in question.

    Why do I get the feeling that this used to be done; but the practice of cost cutting changed that plan. No, I don't have inside info; just a gut feeling. On a side note; I work in a data center and I have seen cost cutting plans by various companies in action. Tapes no longer get shipped off site; they just site there in a cage on the floor.

    Practices like these are disconcerting; makes me wonder why I still work in this business. Cutting costs still seems to me the norm. Everything is fine and dandy until you have to restore the tapes or fix an outage. Sorry for going OT; but it is getting a tad bit depressing with the current state of affairs.