In a story that makes you scratch your head, a missing CD with over 300,000 names of New Yorkers with developmental and other health issues has been missing for almost a month.

We have not been able to locate within our Early Intervention program unit one disc out of two discs that we received from New York City,” DOH spokeswoman Claudia Hutton said.”At this point, we have no reason to believe they’ve left the building.”

The contents of the disk were encrypted but unfortunately the encryption password may have been written on the outside of the disk.

Adding to concern is the fear that the disc’s password may be written on the outside, although Hutton said the disc is encrypted and could not be read without advanced technical skill.
 
Hutton conceded that putting the password on the disc was not a good idea and amounted to “sloppy housekeeping.”
They have been searching for the missing disk all over the building but still have not found it.
 

Workers at the DOH first discovered the disc was missing around March 20 when they realized it wasn’t where it was supposed to be: in a locked cabinet inside a locked room, said Hutton, in response to a reporter’s inquiry.

The two CDs had been sent by overnight delivery service from New York City and were logged in at Corning Tower.

Once the DOH realized one of the discs was missing, security experts began a search, even instructing workers to sift through piles of papers and desk drawers.

Hutton said the disc may have been accidentally shredded or may still be somewhere in the building. She said the New York City DOH was notified last week.

They say there is no need to  notify the patients of the breach but the details seem sketchy.

She said the DOH won’t have to notify people whose names are on the disc because it doesn’t contain diagnoses or other medical information that would be covered by federal privacy laws.

Along with the names and addresses, the disc contains codes that relate to the services the individuals received, Hutton said.

The main point to consider in this case is that if you have a  CD or USB Drive or Laptop that has encryption, DO NOT write the encryption password on the cover of the CD or place a sticky note on the drive or laptop.  Encryption of data is considered secure and no breach notifications need to occur if the data is lost.  But if you write the password on or near the encrypted data, you basically make the encryption useless.  The data should then be treated as though there is no encryption at all. 
 
You can implement all the technology and take all the precautions to protect data but in the end you are still only as secure as your staff allows you to be.  If your staff takes security seriously and makes a valid effort to perform their jobs in a way that protects patient data, you will have a very good chance at keeping patient data secure.  On the other hand, if your staff does not take patient data security seriously and takes shortcuts to security (i.e. writing encryption passwords on CDs) there is a good chance you will face a patient data breach in the future. 
Share

Related posts:

  1. Physician file sharing exposes Patient Information
  2. HIPAA Willful Neglect can cost a practice
  3. Costly data breach for BlueCross
  4. HITECH Act breach notification requirements
  5. Strange days indeed