DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Lesson learned from a data breach: "Trust but verify"

Posted on October 16, 2011 by Dissent

Tony Kennedy and Maura Lerner report on the aftermath of a contractor breach that affected patients at Fairview and North Memorial hospitals in Minnesota. For those who may not recall the Accretive breach, the reporters provide a summary:

On the night of July 28, according to police reports, a consultant named Matthew Doyle, who worked for Accretive Health Inc., left a Dell laptop in the back seat of a rental car parked in the Seven Corners bar and restaurant district in Minneapolis. When he returned after 10 p.m., the back window was smashed and the computer was missing.

The laptop contained information on 14,000 Fairview patients and 2,800 North Memorial patients, potentially exposing them to identity theft or other harm.

The bulk of the news story deals with Accretive Health’s failure to encrypt and adequately secure the data, noting that nationwide, there are about three reports per month of stolen laptops with unencrypted patient data. I think that estimate is way too low and that we’re only finding out about an average of three per month but there are likely many more.

But what have the Minnesota hospitals learned from the breach and how has it affected their relationship with Accretive?

Lois Dahl, Fairview’s information privacy director, said the mistake has taught the hospital to verify, not just trust, that its contractors are living up to privacy obligations.

Fairview also is considering dropping Social Security numbers from records shared with outside business partners, Dahl said. The hospital also wants to tighten practices to ensure it is not giving vendors more patient information than necessary, she said.

Bingo! It’s a shame it took this breach for them to learn those lessons, but if they’ve learned them now, I’m glad for that.

For its part, Accretive has started daily audits to ensure encryption on all devices carrying patient information, Kazarian said. The company also has “reaffirmed” rules for keeping laptops secure, he said.

And what are their rules? It would be nice to know what they are instructing employees – other than not to leave a laptop in the back seat of a car in a bar parking lot.

Harley Geiger of the Center for Democracy and Technology (CDT) described the breach as “failure of diligence,” and I concur. But it’s not just the contractor’s diligence. As the hospital now realizes, covered entities need to verify that contractors are living up to the terms of any contract in terms of protecting the privacy and security of patient data.

Yesterday, in another sector, we saw how the SEC discovered that a contractor had shared data with unapproved and un-vetted subcontractors.  SEC notified its employees of the breach, but the impressive part is that they audited and verified what was happening to data they had shared with the contractor.  More HIPAA-covered entities would benefit from the “trust but verify” approach. It’s just not enough to have clauses in a contract and when covered entities are themselves audited, I hope they are asked to indicate how often and how they verify that business associates are adhering to the security and privacy protections in their contract.

“This was not the result of some sophisticated attack,” Geiger said.

No, indeed. And I am hard-pressed to think of any sophisticated attacks on patient data that we have seen. Most of them seem to be reasonably low-level attacks that could have been fairly easily prevented. Besides, why knock yourself out attacking networks when there is so much low-hanging fruit just lying around for the taking?

(Url corrected to link to Star Tribune)

Related posts:

  • Senator Franken questions Accretive about allegations raised by Minnesota's Attorney General
  • July theft of computer with Fairview patient data wasn't the first, Minnesota AG says
  • Attorney General Swanson Sues Accretive Health for Patient Privacy Violations
  • MN: Fairview Health Services and North Memorial Hospital inform patients of breach due to Accretive Health's security #FAIL
Category: Health Data

Post navigation

← World Miss Photogenic hacked and accounts dumped
GA: Law firm's documents dumped in trash →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity
  • Patient death at London hospital linked to cyber attack on NHS
  • ShinyHunters and team members arrested in France (2)
  • Texas Enacts Liability Shield From Punitive Damages for Certain Small Businesses That Adopt Cybersecurity Programs
  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
  • Liberty Township in Ohio has recovered its network after a ransomware attack
  • Marquette County Medical Care Facility discloses data breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.