Several recent incidents in the Boston area involving medical data loss are highlighting the need for better standards, and the Massachusetts Attorney General's Office will be looking to boost knowledge using new funding.
Lost laptop leads to leak
The Boston Children's Hospital recently notified over 2,000 patients that a data security breach may have occurred when an employee at a conference in Buenos Aires lost a laptop with potential access to patient information. According to the Boston Globe, the data consisted of names, birth dates and medical records, but Social Security numbers and financial records were not compromised. The issue was primarily that while the computer was password protected, data protection was at risk due to a lack of encrypted files. The hospital's president has apologized for the incident and stated that it will be taking steps in the future to protect from such incidents occurring again.
Medical records suffer breach rash
In addition to the Boston Children's hospital data security slip, other data loss incidents in recent years include the 2010 breach at South Shore Hospital (SSH) of Weymouth, Massachusetts, and a similar case in 2009 involving a multi-state breach that affected thousands of Massachusetts residents. Both instances have resulted in lawsuits and both involved sensitive financial and personal information was unintentionally leaked due to poor content security guidelines enacted by these companies.
"There have been numerous recent cases across the country involving lost of stolen laptops, missing backup media, and poorly secured health record databases," said researcher Neil Roiter in an interview with CIO Today. "Laptops and other portable devices are lost or stolen with alarming frequency, and one has to wonder how many other records may be potentially at risk."
Learning and leading by example
In a settlement, SSH recently agreed to pay $750,000 for losing data backup tapes containing records of over 800,000 patients. According to the Boston Globe the facility contracted with Archive Data to sell 473 old storage tapes, but SSH failed to delete unencrypted information containing names, dates of birth, financial data and Social Security numbers before shipping the tapes to a Texas processing center. Of the three boxes shipped, only one was successfully delivered.
The Massachusetts Office of Consumer Affairs and Business Regulation (CABR) reported recently that 1,833 breaches in the state have occurred over the last five years due to these kinds of lax security measures leading the state to pass new legislation in 2010 requiring creation of written data security plans. The Attorney General's office will be granted $225,000 from the payout to create educational programs that promote data security in the state's medical facilities.
Encrypting and altering standards
The CABR noted that breaches in the state had decreased slightly over the last few years despite recent incidents of large scale loss. The problem with data protection failures of that scope, the CABR report pointed out, was that, while fewer entities are suffering breaches, those that are at risk are exposing more client data than before, so the number of affected individuals is still on the rise.
"Our analysis found that our businesses, institutions and others need to do a better job protecting the information of individuals," said undersecretary of Consumer Affairs Barbara Anthony. "The best way to prevent identity theft and other serious issues is to keep information protected, safe and secure."