KEZI in Oregon reports:
A Reedsport clinic is alerting patients about a recent data breach.
Police are looking for a hard drive containing patient information from Dunes Family Health Care.
The organization that downloads and stores the clinic’s electronic records says it went missing on March 11.
The clinic sent notices to more than 16,000 current and former patients Tuesday about the data breach.
The clinic believes many of the records contain Social Security Numbers, names, addresses, birthdays, and clinical information.
A statement on the facility’s web site, posted today, reads:
On March 11, 2011, the organization maintaining the clinic’s back-up electronic files discovered that the external hard drive on which those files were stored was missing. The hard drive was stored in a locked, fire-protected building with very limited access.
Nonetheless, we believe the hard drive was stolen by a person or persons unknown. The apparent theft was reported to the police and they are still investigating the matter with the help of the Oregon State Crime Lab.
We are committed to safeguarding our patients’ sensitive personal information, and have taken immediate steps to fortify the measures protecting our back up files. Those files are now being stored under increased physical security and are encrypted.
The files that were stolen cover a wide variety of situations and patient encounters. Many of these files contain patients’ Social Security numbers (“SSN”), as well as other personal information. Others did not include SSNs, but may include a name, date of birth, address or clinical information. For that reason, we are providing identity theft safeguards to current and former patients who have been affected by this incident.
[…]
Some additional information is provided in coverage by the Umpqua Post.
Okay, so why weren’t the data on the hard drive encrypted? Why are entities so quick to implement encryption following a breach? If it’s that quick/relatively easy to do, why didn’t they do it before now?