[ Wednesday, April 21, 2010 ]
Mass. Eye and Ear Data Breach: Interesting story
. A Mass. Eye and Ear Infirmary doctor was lecturing in South Korea and his laptop was stolen. The data was password protected, the computer had LoJack on it, and an automatic hard-drive scrubber that could be activated in case of emergency (although some commentators have noted that the hard-drive eraser won't work until the computer is connected to the internet). They have notified the individuals affected, put a notice on their website, and published this press release. The data almost certainly wasn't compromised, and didn't contain really bad stuff like Social Security numbers. Sounds like Mass Eye and Ear did a bang-up job.
But. . . .
If they had encrypted, rather than password-protected, they wouldn't have to put out the notice, do the press release, or otherwise deal with any of this. There's no data breach notification requirements if the data is "secure," and if it's encrypted, it's secure.
One tiny extra step would have really saved them time, money, frustration, damage to reputation, etc.
Jeff [11:42 AM]
Blogger: HIPAA Blog - Edit your Template