Another large scale security breach of a government agency has occurred, this time at a Veterans Affairs facility in Columbia, South Carolina. According to WIS-TV, the William Jennings Bryan Dorn VA Medical Center has mailed letters to 7405 patients whose information was compromised.
In this particular case, a laptop was stolen that contained names, partial Social Security numbers, and birth dates, as well as some medical and demographic information. The laptop has not yet been recovered, but in a notification letter to those affected, the VA indicated that laptops storing patient data have been “physically protected” and that clinical staff have been instructed to “securely store and purge all personally identifiable information from medical devices.”
What is unclear is whether any of the laptops had physical security in place prior to the breach. Furthermore, the VA didn’t mention whether any data was encrypted, password protected, or otherwise digitally safeguarded. HealthITSecurity reports that the data was unencrypted.
This is a shame, because encryption is relatively easy and cheap to do, and offers a significant amount of protection against hacking. It’s a tool that every custodian of private information should be using – and especially entities that store sensitive medical and financial data.
Mobile security is an increasing concern, as more of us use cell phones, tablets such as the iPad, and laptops, to conduct business. But the security policies of most companies have not kept up with the changing technologies used by employees, and as a result, hackers have found another vulnerability to exploit.
The price tag the VA will have to pay for this particular incident will no doubt be steep. It’s already has incurred notification costs, which experts estimate range roughly between $50-$195 per person. (Watch our video about Notification Costs.) Multiply that amount by 7000+ people, and the bill is already in the hundreds of thousands of dollars.
It’s uncertain in this case, since the VA is a federal government agency, how immune it will be to patient lawsuits or fines from other federal government agencies such as the Department of Health and Human Services (HHS). But clearly the breach at the VA hospital violated the Health Insurance Portability and Accountability Act (HIPAA). And HHS announced earlier this year that it was making HIPAA regulations involving medical information breaches even more stringent.