Verse 1: Car thieves get personal data on Portland psychology patients, unemployed Oregonians (thanks to Jake K and lyger on DataLoss DB)
4,000 psychology patients and 2,900 jobless residents breached by stolen laptop and stolen data storage device in Oregon.

Verse 2: Stolen laptop puts data at risk: Information on Texas Children’s Hospital patients was compromised (thanks to lyger on DataLoss DB)
Doctor’s laptop containing clinical and demographic information of about 1,600 patients stolen.

Verse 3: Fort Worth medical clinic spends $15,000 notifying patients of theft (thanks to security curmudgeon on DataLoss DB)
Employees at a Fort Worth allergy clinic found the office door kicked in and four computers gone, containing PII and SSNs for 25,000 patients.

Verse 4: Aultman Health Foundation Laptop Computer Stolen (thanks to Redemtech)
13,800 home health care patients breached by a stolen laptop.

Verse 5: Boise Employee Information on Lost Tape (thanks to Redemtech)
About 300 employees breached by a missing backup tape.

It’s difficult to decide where to stop once this river gets flowing. We’ll call it good at five.

But while the devices proliferate, their capabilities increase, and that actually brings a significant risk, since a single smart phone with a meager 8 GB of storage can carry enough proprietary, secret, sensitive, or otherwise private data to just about destroy a business–when the phone falls into the wrong hands. Thus, businesses and consumers alike are waking up to the risks of those handy gadgets.

Businesses must lead the way in managing the risk, and Paul Korzeniowski over at InformationWeek has a nice, short article entitled “Five Steps to Managing Mobile Devices.” It’s worth a read, and business owners and managers must start by getting over the psychological hump–you can manage the devices or, at the very least, you can make some decent headway to at least reduce your risk.

Here are Korzeniowski’s steps, in summary (please read the full article):

Step 1: Inventory Employee Mobile Devices

Step 5: Move To More Sophisticated Applications

Once again, here’s that link to the full article–worth a few minutes’ read. And, while we’re at it, it’s worth noting that insuring these devices is a very, very good idea as well. And it’s very affordable. See MyLaptopGPS Premier Partner Safeware Insurance for more information.

At the booth, MyLaptopGPS gave away an iPhone 4, plus a whole bunch of MyLaptopGPS “Protect Your Assets” t-shirts. Lucky winner Charles Tholen of Cognoscape took home the grand prize.

MyLaptopGPS CTO Dan Yost with Charles Tholen of Cognoscape

Congratulations to Charles!

MyLaptopGPS was also touting to the new MyLaptopGPS Reseller Program, which was very well received at the show. We look forward to working with some great resellers.

That’s all for now, and as they say in Texas, “y’all come back now!”

But given recent legislation dealing with data breach notification requirements, why might it still be true that many breaches either don’t get reported at all, or get a bit “under-reported” inasmuch as they provide few, if any, details and numbers about the breach (such as the number of individuals affected)?

The article claims that the ITRC (Identity Theft Resource Center) believes that the fact that some states now harbor a “protected” breach list that is not made public at all, or is only accessible via an official Freedom of Information Act request, is one cause. Similarly, for medical data breaches, the US Department of Health and Human Services has created a “risk of harm” threshold for notification requirements, which has been contentious since it was first introduced, with opponents claiming that it removes the very core incentive of data breach notification requirements: incentive for organizations to protect data in the first place, lest they have to report a breach.

Furthermore, in many cases organizations are allowed to do their own assessment of the “risk of harm.” Could this be akin to letting a convicted criminal sentence himself? Perhaps.

In any case, the article helps identify some very likely causes of continued data breach under-reporting, which in turn helps reinforce the claim that it’s really worse out there than most people realize. Ignorance may not be bliss.

It’s worth emphasizing repeatedly that when a data breach happens, the entire business suffers, and suffers greatly. With the enormous impact that data breaches have, and the extreme risk that each and every employee (and contractor) can pose, it pushes prevention into the laps of everybody in the business, not just IT. Though IT may be the group that implements solutions, they are often hamstrung by lack of sponsorship in upper management, and we all know that when the bosses don’t want it, it doesn’t get done.

So then, our tip is to gather those bosses. We’re gearing here for more of the small business types, as opposed to enterprises with more formal structures who already should be (but often aren’t) doing this. Gather the business’ key decision makers and at least begin the discussion of data privacy. Do not get technical, since the meeting will likely be full of non-techies. But begin the process of educating the whole swath of managers that this problem is “organizationwide.” It’s not an IT problem alone.

Regardless, an additional 860,000 current and former members of AvMed are being notified that their personal information is at risk due to the apparent theft of two laptops, which went missing from a locked conference room at AvMed Health Plans’ Gainsville office back on December 11.

AvMed once again mentions that there is no evidence of any malicious use of the data, which is normal, and that they are “strengthening data security and procedures.” Thanks to Redemtech for the heads up on the article.

A nice summary article can be found at NextGov (thanks to Jake K at DataLossDB for that tip). According to the article, the White House review found that “quantifying the value of protection motivates organizations to address vulnerabilities.” And when it comes to crunching numbers, especially with dollar signs attached, the CFO is typically front and center. The message of the guide is clear and very well underscores the growing realization, worldwide, that data security is actually not “an IT issue.”

In many organizations–in fact in most organizations–the security of data is referred to the “IT department.” It is true that IT tends to be the proper group to actually implement protections. But what tends to happen, before solutions can even be discussed or pursued, is called the brick wall of “funding” or “budgetary appropriations.” Quite simply, IT isn’t given the money or the clout to really deal with “data security” and, lacking the leadership and key sponsorship of the CFO, it fizzles. A few steps may be taken but, far and away, the priorities fall elsewhere.

Back to the guide, or “handbook,” the cost estimates included are helpful to make the point that this is indeed a business-wide decision. Here’s an excerpt from the NextGov article:

The publication estimates a data breach of 10,000 records containing personal identification information would cost about $1.6 million, assuming the company carried breach insurance with an 80 percent coverage of direct costs. That sum includes direct expenses for investigations and forensics, consulting services, notification of affected individuals, public relations, legal defense, and credit and identity monitoring — as well as the indirect cost of lost business. The handbook cites several analytical models to help chiefs assess costs and benefits.

Steps to bolster protection also include learning to view digital safety as a business strategy rather than as an operational responsibility and leading a cyber risk team of appropriate subordinates organizationwide. This team should meet in person, if possible, the publication notes. Face-to-face interactions can prevent the confusion that often occurs when separate business units speak in jargon.

Very helpful, indeed, as even the “geek speak” of the day can cause crucial issues to be lost in translation. The news headlines are packed with examples of what happens when these issues aren’t solved in time.

GovInfo Security reports that the data was unencrypted, and the theft actually involved a government contractor.

Most of the details of the case are quite standard: a third party with access to data, security controls lacking or completely non-existent, crime of opportunity, and now 207,000 more potential ID theft cases. And, as is common, policies and procedures are under review in response to the breach. Hopefully, good security technology will be one prong in the resulting PnP’s.

For now, however, 207,000 more victims are added to the stack. Thanks to kirniki for the tip.

The report was based on a biannual survey of 250 healthcare professionals nationwide and was commissioned by Kroll Fraud Solutions. The overall flavor of the report seems to suggest a bit of an “overconfidence” by healthcare IT professionals regarding the actual security of their data–they perceive it to be much more secure than it is. And, as we see in breach after breach, that often turns out to be true.

Kroll’s summary of key findings states:

• New regulatory activity, including the implementation of the Red Flags Rule and HITECH Act, has created a false sense of security among healthcare organizations that their facilities are secure and prepared should a breach occur.
• Healthcare organizations continue to underestimate the high costs of a data breach, despite new industry data which puts the average cost per industry data breach at $6.75 million.
• Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.

A more extensive list of highlights is found in the Healthcare IT News article:

• Despite new regulatory activity, including the implementation of Red Flags Rule and HITECH Act, and increased compliance among healthcare providers, the reporting of healthcare breaches is on the rise.
• The majority of survey participants indicated that they were compliant with existing laws and regulations.
• Average responses were above a 6.0 (on a scale of 1-7, with 7 being the highest level of compliance) for almost all laws and regulations, including CMS Regulations, HIPAA, State Security Laws and Red Flags Rule. Only HITECH scored lower (5.75), most likely due to the fact that HITECH was still not fully implemented at the time of the survey.
• The number of healthcare organizations that reported a breach increased by six percent in 2010 to 19 percent of total respondents – up from 13 percent in 2008.
• When asked to rate their level of “preparedness” for a future security breach, respondents from organizations having experienced a breach cited a preparedness level of 6.06 (on a scale of 1-7, with 7 being most prepared).
• Healthcare organizations continue to underestimate the high costs of a data breach, despite the fact that penalties for HITECH violations can reach as high as $1.5 million dollars.
• Patient satisfaction was most frequently cited as the primary impact of a data breach on their organization (38 percent), while only 15 percent cited the financial costs —  down from 18 percent in 2008.
• Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.
• Eighty-seven percent of respondents indicated that they have policies in place to monitor access and sharing of electronic health information, yet research shows that 84 percent of healthcare breaches since 2003 were due to “low tech” incidents such as lost or stolen laptops, improper disposal of documents, stolen backup tapes, etc.
• Sixty percent of respondents said they required third party vendors to provide proof of employee training and only half indicated that they required third party vendors to provide proof of employee background checks. As organizations prepare for the broader sharing of electronic health records across massive networks of providers, payers, state and federal repository systems, third party involvement is only expected to increase in the coming years.

There is indeed a lot to crunch and, as noted in the articles, it’s a “bittersweet” set of results. On the positive side, data security is getting much more attention and many healthcare organizations are taking action. But on the negative side, there’s still a very serious gap between “theory and practice,” so to speak. In theory, organizations think they’re secure and are shooting entirely for “compliance.” In practice, not so.

This elicits thoughts of the old cliche: In theory, there’s no difference between theory and practice. In practice, there is.

Download the full report here. Thanks to security curmudgeon on DataLossDB for the heads up.

Officials there are sending letters to 24,600 patients affected by the loss of a flash drive. The Courier-Journal reports, and thanks to Jake K for the tip.

According to the article:

Hospital officials ran a legal advertisement in The Courier-Journal on Thursday notifying the public of the problem. They said the drive contained the following information on patients admitted since 2002: patient names, room numbers, insurance company names and admission and discharge dates. It didn’t include diagnoses or treatments, Social Security numbers, dates of birth, telephone numbers or addresses for these patients.

The drive also included the following information on patients assessed since 2009 but never admitted: name, date of assessment, date of birth and the time they left the hospital. For these patients, the information on the drive didn’t include diagnoses or treatments, Social Security numbers, telephone numbers, addresses or insurance information.

The hospital is also reportedly taking steps to increase their security, such as deploying encryption.