Slashdot Mirror

← Back to Stories (view on slashdot.org)

Loss of a Single Laptop Leads to $50k Fine Against Idaho Hospice

Posted by Unknown on from the sterm-talking-to dept.

netbuzz writes "Losing a single laptop containing sensitive personal information about 441 patients will cost a non-profit Idaho hospice center $50,000, marking the first such HIPAA-related penalty involving fewer than 500 data-breach victims. Yes, the data was not encrypted. 'This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information,' says the Department of Health and Human Services."

11 of 188 comments (clear)

  1. This is why God invented encryption by kriston · · Score: 4, Insightful

    This is why God invented encryption.

    --

    Kriston

  2. Being non-proft does not justify being incompetent by gweihir · · Score: 4, Insightful

    Yes, it is tragic, but effective encryption is free (TrueCrypt, e.g.) and a non-profit still does not have any business being incompetent.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. Re:It works! by DoofusOfDeath · · Score: 3, Insightful

    It's hard to tell if you're being sarcastic or not.

  4. Government penalizers doing... by Anonymous Coward · · Score: 5, Insightful

    ...what govt penalizers do best: pick on those least capable of defending themselves... in other words go after the low hanging fruit and don't bother with the really hard stuff like rich, for-profit hospitals and clinics that routinely violate HIPAA... because those have armies of high-dollar lawyers who'll make life hard on the govt if they attempt to go after them.

    1. Re:Government penalizers doing... by ColdWetDog · · Score: 3, Insightful

      Nice rant. Too bad you're mostly wrong. HIPAA actually does manage to get data protection pushed far and wide in an industry that fights tooth and nail against any change. It's hardly perfect but it's not terribly onerous and most of the edge cases and implementation problems have been sorted out.

      I'm not sure why they chose to beat up on some rural Hospice provider - they've had plenty of chances to hit some big boys and girls, but this will send out a signal that you shouldn't fuck around and avoid doing simple things. It isn't much of an expense to encrypt laptops. It's not hard to put locks on doors, HIPAA has made it easier to transfer data back and forth between providers because everyone is working off the same set of rules.

      Maybe you should bash your head with your copy of Atlas Shrugged a few more times until things are clearer.

      --
      Faster! Faster! Faster would be better!
  5. Re:It works! by Alwin+Henseler · · Score: 4, Insightful

    No it doesn't. For starters: such a fine is a good thing, but it should be payable to the victims of the data breach (as in: the people whose sensitive data was dumped on the street). One way or another, they suffer damage from a data breach, they should be compensated.

    Secondly, it won't prevent further breaches like they happen so often these days. Maybe if fines are stiff enough, and handed out often enough, over time it will produce an effect. I wouldn't hold my breath though. When it comes to keeping data private, a new idiot is born every day. Sometimes an idiot in charge, but that's not always necessary.

  6. Re:Hospice prices go up by sunking2 · · Score: 3, Insightful

    Hopsice prices can't just arbitrarily go up for 99.9% of people who use insurance or medicaid. They work on prenegotiated rates. They can charge all they want, insurance is only going to pay them what they agreed to.

  7. Re:It works! by Enry · · Score: 4, Insightful

    Yes, and the next time some Hospice official thinks about not encrypting their data, they're going to remember this event and think better of it.

    HIPAA violations are serious. People have likely lost their jobs over this. Even though I'm not in a position to routinely work with patient data, my employer requires that my laptop is encrypted - in the case of my Linux laptop I was able to convince them that using encrypted LVM was sufficient.

  8. -or- they learned another lesson... by bradorsomething · · Score: 3, Insightful

    When you lose one laptop worth of patient data, don't tell anybody.

  9. Re:It works! by mlts · · Score: 3, Insightful

    I'm happy HIPAA is being enforced. We have already had way too many breaches, either tapes left in unsecured locations, or laptops "going missing".

    We already have had a decade of businesses giving security the hind teat, since it is viewed as a cost center, and the belief that "calling Geek Squad" after the fact can fix things. Having it made public that if laws/regs are broken, that fines will be levied might get places to zip their flies.

    Encryption of laptops is not hard, especially Windows laptops that are the mainstay in business that have TPM chips. With any Windows version newer than Vista, Bitlocker is very easy to enable on an enterprise level. For most things, just forcing BitLocker via GPO on laptops, even if the user is a full admin is more than good enough for security.

    For laptops without a TPM, Windows 8 and Windows Server 2012 allow for a password to be set before boot.

    Almost all new major operating systems have some form of DAR/WDE encryption ready to go. Linux has LUKS, BSD has gbde, AIX has EFS, Solaris has encrypt(1), OS X has FileVault II. Enabling this may not be trivial, but it is doable.

    Of course, almost all new backup programs have encryption, usually create/import a key, set a button to encrypt, and let fly. Netbackup has the Media Server Encryption Option, but even better, if one uses LTO-4 or newer media, NBU can just use the tape drive native AES encryption directly.

    There is no excuse for encrypting laptops and media these days. None.

  10. Re:A 'Big' fine? by afidel · · Score: 3, Insightful

    Dude, it's a small nonprofit hospice, it's doubtful they HAVE an IT guy, more likely a consultant they bring in to fix something every few years. I know because I worked consulting in a practice focused largely on smb medical and only our largest and/or most profitable customers ever engaged us for anything more than break/fix. I got out just as HIPPA enforcement was coming online and almost none of our clients was prepared despite the fact that we had sent along information for several years pointing them to organizations that could help them write their policies (we got nothing directly out of this, though given the state of many of their IT systems they would have needed services to become compliant with legal minimum practices).

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.