Backup Tapes With 2 Million Medical Records Stolen

Lucas123 writes "A vehicle used by an off-site archive company to transport patient data was broken into on March 17. The University of Miami just made the theft public last week, saying the thieves removed a transport case carrying the school's six computer backup tapes. On those tapes were more than 2 million medical records. In fact, the archive company waited 48 hours before notifying the university itself. A University spokeswoman said the school has stopped shipping backup tapes off-site for now."

*Still* no encryption??

[DigitAl56K]

There needs to be a law regarding data encryption. Virtually every time data is stolen, be it on CDs, laptops, backup tapes, missing hard drives, and so forth, it is not encrypted. In fact, I can think of only one case that has made press in the last 4-5 years that I can remember encryption being used to safeguard the data.

Transporting confidential data off-site via any medium, including the Internet, without industry-recognized encryption (not something that is proprietary and untested) ought to be a criminal offense with severe penalties.

TFA talks about proprietary compression and encoding and not about encryption. I simply do not believe that it is difficult to recover that data - whatever proprietary software wrote those files can be obtained from somewhere for a price. You can probably Google the file extension or some information in the header to determine the format and/or software.

"The university feels confident that the person who took [the tapes] doesn't know what they have." They do now!

"Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter." That data is not safe. At best it is in an obscure, but not secure format.

It's incredible, really. Since TrueCrypt 5.0 arrived,I don't even carry my work laptop or flash drives around without either full disk encryption or encrypted container files on them, and they do not contain anything as sensitive as 2 million medical records.

Re:*Still* no encryption??

[jimicus]

I knew that I would see a post saying something like this.

Yes encryption is a great thing and should be used all the time, especially on laptops. Well actually, there is one time when it *shouldn't* be used (or at least, not automatically). Want to know when that is?

For backups. THANK YOU. I'm glad I'm not the only person who thinks this.

The backup software I use (http://www.bacula.org - a fantastic piece of work) does have the facility to encrypt everything.

But I've considered the risk to the business in the event of tape loss versus the risk to the business in the event that we can't decrypt the data because for whatever reason the office has burnt to the ground and the offsite copies of the keys aren't recoverable.

I concluded that if it's a choice between explaining a lost tape and explaining the fact that I have the tape but the sun will have burnt itself into nothing before anyone can read it, "oops, I lost the tape" was easier to explain and rather less likely to result in the business going to the wall.

Re:*Still* no encryption??

[filthpickle]

I work for an insurance claims clearinghouse. The company I work for takes the HIPPA laws very seriously. One big mix up with patient data and no matter how good you are nobody will want to use you.

2 million lost records is a lot, so just about any company would be compelled to own up to it...and they really aren't at risk here since they didn't knowingly or recklessly (geek level arguments about data transport aside) release the data.

Since they didn't technically violate any HIPPA laws, I don't think that they are required to report it to anyone. You can check for yourself http://www.hhs.gov/ocr/hipaa/

I can also tell you that by their own admission, HIPPA enforcement is complaint driven, they don't do anything until someone informs them of a violation.

Do not panic

[Psychotria]

A University spokeswoman said the school has stopped shipping backup tapes off-site for now." Well, I am sure that makes everyone sleep a little easier tonight--it's obviously all under control.

2 million records, or people?

[pclminion]

The article is very careful to phrase it as "2 million medical records." I somehow doubt that this means the medical records of 2 million separate individuals -- if it did, surely the news outlet would have said so, as it is much more dramatic. I bet a "medical record" is a single row in the database, and what was really stolen was a DB with 2 million records (as in "rows") in it. I seriously doubt the medical records of 2 million people are all collected on a single set of tapes.

Even better

[Psychotria]

"The university feels confident that the person who took [the tapes] doesn't know what they have. Even if they do know what's contained inside, it's very difficult to extract that information," remarked Menendez. I am sorry Menendez, but difficult for who exactly. Your school is not unique, nor is it the pinnacle of knowledge (no school is). If we could decrypt things 50 years ago, how is a "compression" method hard to work out?

My new data security plan.

[Digestromath]

Physical Security: Lock the damn doors to the van when you leave it parked outside the Cheesy Burger.

Multi key, multi volume encryption: Lock each of the tapes in a different cabinet in the van, each with a different key.

Security through obscurity: Remove large sign on van reading "Secure Data Transport, 'Transporting your valuable data since 1991'" replace with "Flowers By Irene"

Introduce comprehensive staff security training: Hold their families hostage, and tell them that if they lose the data...

Re:yes but what's the value

I wouldn't buy a stolen rolex for 30$ either, therefore no stolen rolex is ever resold.
Awful logic isn't that?

The correct question is: how much would you pay for 2M medical records if you were in the insurance business?

In 2025 those will still be valid SS numbers

[plantman-the-womb-st]

Get your most closely kept personal thought:
put it in the Word .doc with a password lock.
Stock it deep in the .rar with extraction precluded
by the ludicrous length and the strength of a reputedly
dictionary-attack-proof string of characters
(this, imperative to thwart all the disparagers
of privacy: the NSA and Homeland S).
You better PGP the .rar because so far they ain't impressed.
You better take the .pgp and print the hex of it out,
scan that into a TIFF. Then, if you seek redoubt
for your data, scramble up the order of the pixels
with a one-time pad that describes the fun time had by the thick-soled-
boot-wearing stomper who danced to produce random
claptrap, all the intervals in between which, set in tandem
with the stomps themselves, begat a seed of math unguessable.
Ain't no complaint about this cipher that's redressable!
Best of all, your secret: nothing extant could extract it.
By 2025 a children's Speak & Spell could crack it.

You can't hide secrets from the future with math.
You can try, but I bet that in the future they laugh
at the half-assed schemes and algorithms amassed
to enforce cryptographs in the past.

Doesn't modern tape backup software encrypt data?

[Futurepower(R)]

"On the black market these days, a full identity (name, SSN, address, bank information, etc) can go for $14 each."

Good answer. Next question: Doesn't all modern tape backup software encrypt all data?

Even my personal DVD backups are encrypted automatically.

Re:TFA does NOT say they were encrypted

[frdmfghtr]

In this day and age of "Information Warfare" you should consider every system for moving data vulnerable and take measures to ensure that attempting to steal that data would be more work than what it's worth.

In the case of physically moving backup high-value drives/tapes to off-site storage, that would mean an armored courier. That data is money to somebody, so protect it like money. Sure it's more expensive that the local Speedy Messenger cargo van, but so is losing control of the data.

Re:Relative Risk

[ColdWetDog]

Bah, I would disagree. And IAAP (I am a physician) - who has worked in IS intermittently for decades.

First, if your recovering from an off site backup tape, something went down and it's going to take a while to get it running again. Decrypting can't add much more than 20 - 30% (number pulled from appropriate nether region) to the time. If it does you need to upgrade those C-64's you're using in the server room.

Second, if the data is bulk stuff going off site, it's obviously not a primary rapid-response data restore. It's likely historical and most likely business data with very little clinical information. Probably just ICD9 / CPT codes (diagnosis and procedure codes, look it up only if you're very, very bored).

And thirdly, if your docs are so addicted to the computers that they're going to kill people without them, they should start rethinking their approach to medicine. That sort of historical data just isn't that important. We've treated people for centuries without computers. Having all that clinical information at your fingertips is great, wonderful and certainly to be encouraged, but lack of it isn't life threatening.

Having Google go down on the other hand ....

pretty valuable for cherry-picking risk pools

[ridgecritter]

If I ran a medical insurance company, those tapes could let me know whose applications to deny and whose to accept. Very valuable indeed.

Has nothing to do with medical staff

[filthpickle]

Medical staff and any other people untrained in information security just aren't going to have the computer literacy or "computer common sense" to handle millions of peoples' medical records adequately.

But it's all in the name of tracking your every move, so I guess it's OK. Your network should be secure (they don't set that up)

The software they use should be secure (they didn't write it)

The method you use to transmit your claims should be secure (they don't set that up)

All you have to tell them is "don't email claim/medical record files" I have taught literally hundreds and hundreds of shockingly stupid people (the people at your doctor's office or the hospital that do the billing are almost certainly the lowest paid people in the chain...in the ballpark of minimum wage) how to zip and encrypt a file so they can email it. With 7zip it is a 3 step process.

Insurance companies have to track your every move when it involves you going to the doctor/hospital.

Re:TFA does NOT say they were encrypted

[guruevi]

I work at a University with a large medical site/hospital/research and I've worked in several businesses that have to have HIPAA or SoX compliance. The laws state and the legal advisors make sure you know this: if your data was encrypted and then lost disclosure is not mandatory and thus the agreement of the employer then takes over, if you disclose it anyway, you lose your job.

Another example: If you have a database, it is sufficient to only protect/encrypt one of the (i think it's five) identifiers to be compliant. For example if you have name, first name, address, ssn and birthdate, you only would have to encrypt the ssn to be safe. Although in another database or even table you can have partial ssn, customer number and credit card number, you encrypt credit card number and your safe. If both are compromised neither have to be disclosed if both tables were not used in the same application and thus had different access controls. Anyone with some database knowledge of course knows that as superuser (what you're usually hacked as) you can easily join the tables to get a more complete picture.

I know of places that have lost, have been hacked into or have misplaced thousands of data records including credit card numbers etc. and have not needed to disclose simply because they used 'some form of encryption'. That the encryption/decryption keys could've been compromised at the same time or at another time is none of their concern, they abide by the law.