Another Day, Another Loss of Hundreds of Thousands of Personal Records

This time, they’re medical records. From Computerworld:

The tapes and disks were taken home by the employee as part of a backup protocol that sent them off-site to protect them against loss from fires or other disasters. That practice, which was only used by the home health care division of the hospital system, has since been stopped, said health system spokesman Gary Walker.

Really, taking the tapes home wasn’t that bad of an idea, although he probably should have dropped them off at a cave or something. The real issue is the inevitability that your information will (has!) already travelled from one of the hundreds of databases that already holds it into the hands of someone who can abuse it.

Would fining companies who do not properly secure customer data help?

Comments

Edit Your Comment

  1. This incident is due to a legacy of old best practices where off-site backups were the gold-standard for data reliability. I’ve worked to eliminate where I work since this practics is not the best practice with respect to security.

    Though there are now better ways to secure off-site backups, including services specifically for this purpose, I suspect such cases will become more common as having an employee hold the backups is still the cheapest method and avoids the more likely issue of data loss from fire/water damage to servers. More companies every day are given access to our information as we switch helathcare providers more frequenly and they share information (even within HIPAA standards) more frequently.

    I think the only solution will be for a new industry to appear which stores sensitive private information for individuals, receives it from doctors and financial institutions, and then provides compartmentalized portions with individual approval to other medical and fiancial institutions as needed. The data provided may have to be DRM encrypted to expire, leaving only the central repository as the source of the information under the indirect control of the individual whose data it is.

    I also believe the provision of the social security act which allows individuals to change their social security number (once in their lifetime) will have to be revisited to allow one-off social security numbers for identification the same way one-off credit card numbers are generated now.

    Good luck to us all not having our data stolen.