DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Lesson learned from a data breach: "Trust but verify"

Posted on October 16, 2011 by Dissent

Tony Kennedy and Maura Lerner report on the aftermath of a contractor breach that affected patients at Fairview and North Memorial hospitals in Minnesota. For those who may not recall the Accretive breach, the reporters provide a summary:

On the night of July 28, according to police reports, a consultant named Matthew Doyle, who worked for Accretive Health Inc., left a Dell laptop in the back seat of a rental car parked in the Seven Corners bar and restaurant district in Minneapolis. When he returned after 10 p.m., the back window was smashed and the computer was missing.

The laptop contained information on 14,000 Fairview patients and 2,800 North Memorial patients, potentially exposing them to identity theft or other harm.

The bulk of the news story deals with Accretive Health’s failure to encrypt and adequately secure the data, noting that nationwide, there are about three reports per month of stolen laptops with unencrypted patient data. I think that estimate is way too low and that we’re only finding out about an average of three per month but there are likely many more.

But what have the Minnesota hospitals learned from the breach and how has it affected their relationship with Accretive?

Lois Dahl, Fairview’s information privacy director, said the mistake has taught the hospital to verify, not just trust, that its contractors are living up to privacy obligations.

Fairview also is considering dropping Social Security numbers from records shared with outside business partners, Dahl said. The hospital also wants to tighten practices to ensure it is not giving vendors more patient information than necessary, she said.

Bingo! It’s a shame it took this breach for them to learn those lessons, but if they’ve learned them now, I’m glad for that.

For its part, Accretive has started daily audits to ensure encryption on all devices carrying patient information, Kazarian said. The company also has “reaffirmed” rules for keeping laptops secure, he said.

And what are their rules? It would be nice to know what they are instructing employees – other than not to leave a laptop in the back seat of a car in a bar parking lot.

Harley Geiger of the Center for Democracy and Technology (CDT) described the breach as “failure of diligence,” and I concur. But it’s not just the contractor’s diligence. As the hospital now realizes, covered entities need to verify that contractors are living up to the terms of any contract in terms of protecting the privacy and security of patient data.

Yesterday, in another sector, we saw how the SEC discovered that a contractor had shared data with unapproved and un-vetted subcontractors.  SEC notified its employees of the breach, but the impressive part is that they audited and verified what was happening to data they had shared with the contractor.  More HIPAA-covered entities would benefit from the “trust but verify” approach. It’s just not enough to have clauses in a contract and when covered entities are themselves audited, I hope they are asked to indicate how often and how they verify that business associates are adhering to the security and privacy protections in their contract.

“This was not the result of some sophisticated attack,” Geiger said.

No, indeed. And I am hard-pressed to think of any sophisticated attacks on patient data that we have seen. Most of them seem to be reasonably low-level attacks that could have been fairly easily prevented. Besides, why knock yourself out attacking networks when there is so much low-hanging fruit just lying around for the taking?

(Url corrected to link to Star Tribune)

Category: Health Data

Post navigation

← World Miss Photogenic hacked and accounts dumped
GA: Law firm's documents dumped in trash →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers
  • Lyrix Ransomware Targets Windows Users with Advanced Evasion Techniques
  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.