US Healthworks Suffers Data Breach Via Unencrypted Laptop – Forbes
Data breaches happen in all manner of ways. Systems are compromised with SQL injection attacks. Spreadsheets are inadvertently leaked to external parties and mobile storage devices get left on trains. These things happen but, they really don’t have to now do they?
The health care company, US Healthworks, fell victim to a data breach in April as the direct result of a stolen laptop that was not encrypted. The company is a subsidiary of Dignity Health is headquartered in Valencia, California and has more than 3,000 employees on staff.
From the breach notification:
On April 22, 2015, we learned that a laptop issued to one of our employees had been stolen from the employee’s vehicle the night before. The theft was immediately reported to law enforcement, and we immediately began an internal investigation. On May 5, 2015, we determined that the employee’s laptop was password protected, but it was not encrypted.
The system was not encrypted and had personally identifiable information (PII) on it. This a theme that just won’t go away. Just over the weekend I wrote about Heartland losing computers in a break-in that were not encrypted themselves. In this case the data that was potentially exposed included names, addresses, date of birth and Social Security numbers.
Part of the problem that always strikes me in cases like this is that the data had left the organization. Sure the argument could be made that this was on a company owned asset but, the fact that wasn’t encrypted means that it may as well have been on a USB drive for that matter. A Windows systems that is only password protected is relatively simple to gain access to for anyone that knows how to leverage a search engine.
While I don’t know all of the details of the situation surrounding the incident for US Healthworks it does highlight the problem that many organizations have with regards to data control and protection. If you have laptops in your enterprise environment, and lets face it who doesn’t, you need to address this issue. In this day and age there really isn’t a good reason to not encrypt the hard drives on your laptops. There is no shortage of encryption vendors out there that would sell you their products to secure your systems in addition to readily available solutions like bitlocker which can provide full disk encryption for enterprises that run Windows Enterprise.
If you are responsible for or you work in security for an organization be sure to review where your data actually is and map that to where you think that it should be. The results will more than likely be disturbing in nature. All the more reason to puzzle that out now. While you’re at it there is no time like the present to review your asset inventory and check for systems that are not encrypted. Address the problem now before you end up as a headline.
(Image used under CC from wahousegop)