Providence Home Services, 365, 000 people, health records, theft from employee vehicle
From Computerworld (via Slashdot) we learn that a home health care business deliberately sent patient info home with an employee as part of their disaster recovery plan. I’m serious. Now, unless this guy lives under Cheyenne Mountain, I’m saying that’s a dumb plan. Anyhoo, some of the information was encrypted, but much of it was not. Specifics on what was stolen:
The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions and some lab results. For approximately 250,000 of the patients, Social Security numbers were on the records, according to the health system. Some of the records also included patient financial information.
Funny. A guy at Ameriprise (foolishly) takes his work home and gets canned for it. Meanwhile, the exact same activity is mandatory at another regulated institution.
(BTW, sorry if I sound snarky — low on caffeine at the moment)
Update 02/04/2006: The police report is now available online [link to http://providenceidentitytheft.com/article.php?story=20060204024316996 no longer works]. It is very interesting. It’s also worthy of note that a single individual whose PII was stolen has so quickly created a community web site dealing with the breach through which his information was revealed.
Consider the differences between deliberately taking a risk and instituting reasonable countermeasures (Providence Home Services, encryption) vs. violating policy to take a risk without reasonable countermeasures (Ameriprise, cleartext). The contrast is quite significant.
In addition, employee homes are quite reasonable places for data recovery stores. After all, not all “disasters” are state-wide or even city-wide. In fact, the majority of threats to a business take out only a part of the business. Cat 5 hurricanes and failed dikes are actually rare.
Richard:
You and I disagree in our estimates of how much of the data was encrypted.
Based on that disagreement, we reach different conclusions as to the suitability of an employee’s home as a location for
off-site records storage.
Don’t get me wrong, back in the day I used to keep a set of level 0 dumps from an engineering cluster under my bed “just in case”; but giving a burglar a grad student’s circuit design is in a different league from giving a car thief people’s medical and financial data.
Taking a set of backup tapes home for an offsite backup is an old trick, and was part of the disaster recovery plan at a couple of places I’ve worked. While it’s not appropriate for unencrypted data requiring secure storage, it does provide some level of disaster recovery protection for localized disasters — for example, if the building burns down. Living under Cheyenne Mountain is overkill unless you’re concerned about business continuity after a nuclear attack. 😉