On November 14, Virtual Radiologic Professionals (“vRad”) notified the New Hampshire Attorney General’s Office that a laptop stolen from an employee’s car on October 14 contained sensitive medical and financial data. It’s a sad tale of pretty good security protocols gone bad due to human error.
According to Karen Scott, the Eden Prairie firm’s Privacy Officer, the laptop had a self-encrypting drive, which should have protected the data from access by the thief (of course, the laptop should not have been left in the employee’s car to begin with, but let’s take that as a given). When the firm investigated the breach, however, they discovered that although the employee and IT department had believed that the encryption was working, it had not been set up properly. Because of other “call home” software installed on the device, however, the firm will be alerted if the laptop tries to connect to the Internet without wiping the hard drive. If that happens, the drive would be immediately wiped.
vRad did not reveal how many physicians and patients had personal or protected health information on the stolen laptop, but the information included “limited medical information” for some patients and names, addresses, and sensitive information such as bank account numbers, Social Security numbers or credit card numbers of others.
One week after determining that the drive was not properly encrypted, vRad began sending those affected notification letters, offering them free credit monitoring services and telling them the steps they had taken to prevent a similar problem in the future.
For me, the “lesson learned” from this breach is the need to verify that encryption is properly configured and used. And of course, hammering it into employee’s heads that laptops do not belong in unattended vehicles.