All I can say is “WOW!” I wonder how much this is going to cost the hospitals. How much damage is done to their reputation? What kind of government settlement, oversight and years of scrutiny will this cost the hospitals when regulatory agencies are done negotiating with them on penalties and remediation?
Here is the gist of the story:
“Thieves made off with the personal health records of about 1.7 million New Yorkers’ when they stole backup tapes from four Bronx hospitals in December, the city’s Health and Hospitals Corp. revealed….
…The computer backup tapes were stolen on Dec. 23, but the New York City Health and Hospitals Corporation began notifying victims Feb. 9, according to statement issued by the 14-hospital system on Feb. 11. While it took HHC nearly two months before reporting the data breach, it was well within the 60-day period required by New York state law. It took HHC this long to sort through the files to assess what kind of information the tapes had contained and who it belonged to, before reporting the data breach, according the hospital group….
…The tapes contained full names, addresses, social security numbers, medical record numbers, health insurance information, diagnoses and treatment data, telephone numbers, birth, admission and discharge dates, and mothers’ maiden names, according to HHC’s FAQ site. Staff, vendors, and contractors may have other personal information, such as professional licensure numbers.”
The full story is here:
I have had some discussions with a few people about this. One person suggested that they would be OK if the tapes were made using a password. Password protection is very limited and only offers protection for those trying to access the tapes through the application software that created the backup. If someone has moderately sophisticated skills and special software they can pull the data off the tape block by block if it is not encrypted. The password is similarly equivalent to a lock on the front door of your house. It only keeps out the honest people. The determined burglar or pro thief will still get in.
This heist is one of the best arguments for using an encrypted Disk-to-Disk online data storage vault if I ever heard of one. Eliminating the need for physical tapes that need to be picked up by couriers, employees, etc. mitigates a huge area of risk in the whole backup process.
There are some quality high-speed and encrypted systems available that offer more secure Disk-to-Disk online data storage vault services. Check out Alvaka’s page to find out more about the services that help prevent such a debacle.