A recent CMIO post describes the data breach of 34,000 patients’ personally identifiable information.

A former contractor’s personal laptop containing patient information was stolen, according to a statement from Larry Warren, CEO of the hospital. “This information was downloaded in violation of Howard University Hospital policy,” he wrote.

I’ll give you 30 seconds to spot 3 problems with the situation. Tick, Tock.

I can see three especially worrisome problems:

Information was downloaded in violation: I’m guessing that there was no monitoring of downloads of sensitive data at this medical institution. This sort of monitoring may have prevented this data from leaving the building.

Former contractor: So a person who had access to this sensitive data was allowed to leave the organization with it. I personally refuse to put data such as this on my own devices, mainly because I do not want the liability of having to protect it or report it if something were go wrong. I am usually the only person on the project who refuses. However, I have never even been asked or reminded about removing any company data from any of my storage devices when I go on to other projects.

Personal Laptop: I sometimes use my own equipment when working at a client and that is normally due to the fact that client systems are often less powerful than my own and they don’t have licenses for tools that I need to do my job.. But I’d rather use systems that have enterprise-class security, encryption and monitoring. I wish more corporate systems supports such practices.

Since the article did not mention that the data was encrypted, I’m guessing it wasn’t. I’m also wondering why this ever got reported…most former consultants would not do so, I’m guessing, if they had the data in violation. Perhaps the laptop was recovered and the breach was reported that way.

I’ve previously blogged about how poorly medical data is protected.

This sort of data breach makes me mad. It’s nice that the hospital says that they are now “implementing enhanced security measures”, but why didn’t they do that before? Did their compliance officer recommend it but management said “no, too expensive”? Did their DBA say “the database is encrypted, so we are covered”? Did the former contractor take the data maliciously? Did he have to put it on his personal laptop? Why do we continue to treat data as if it is someone else’s problem to manage? Do we not understand that we have a professional obligation to protect patient data? Even with legislation it seems the message still isn’t making it through to everyone.

Does your organization have security monitoring in place to protect patient or customer data? If it doesn’t, have you recommended that it do so? Go do it, now.