Unencrypted Medical Records Stolen
Unencrypted Medical Records Stolen
August 18th, 2006: Texas-based healthcare provider reports that 10 computers containing thousands of records relating to patients, doctors and employees were stolen. Password protection on the PCs is the line of defence.
According to Nashville-based healthcare provider, HCA, "During a break-in at an HCA regional office, 10 computers were stolen, which held thousands of files listing unpaid bills from Medicare and Medicaid patients for hospitals in eight states.
"The records were required for government reports. The computers were stolen from a secured building, protected by keypad lock technology and video surveillance. All required a password for access. An analysis is ongoing, but law enforcement agencies, including the FBI, have launched an investigation of the theft."
HCA's business manages healthcare facilities including 182 hospitals and 94 outpatient surgery centres in 22 states, England and Switzerland.
HCA spokesman Jeff Prescott, said that not only were historical patient records dating back to 1996 - and including social security numbers - included, so were names and SSNs of 7,000 employees and physicians.
HCA has attempted to mitigate the huge data loss with the following statement, "Authorities believe the computers were stolen by a gang that has committed numerous break-ins in the same area, looking for computers to be sold for their hardware and not the data".
This mitigation is, obviously, speculative and negates the massive concerns raised in all commercial areas in recent years about the growth of identity fraud. According to the Australian Centre for Policing Research, for example, "Identity fraud was estimated by the Commonwealth Attorney-General's Department in 2001 to cost Australians in excess of $4 billion per annum, although authoritative statistics are not yet available on the crime's incidence or impact. Research conducted by SIRCA (Securities Industry Research Centre of Asia-Pacific) and released in late 2003 estimated that the cost of identity fraud in Australia in 2001-2002 was $1.1 billion."
The fact that the PCs were stolen, and that the data on those PCs appears to have been protected merely by passwords, with no data encryption either means that the data is vulnerable. This means that the people to whom the data applies are also vulnerable.