Loss of a Single Laptop Leads to $50k Fine Against Idaho Hospice 188
netbuzz writes "Losing a single laptop containing sensitive personal information about 441 patients will cost a non-profit Idaho hospice center $50,000, marking the first such HIPAA-related penalty involving fewer than 500 data-breach victims. Yes, the data was not encrypted. 'This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information,' says the Department of Health and Human Services."
This is why God invented encryption (Score:5, Insightful)
This is why God invented encryption.
Being non-proft does not justify being incompetent (Score:5, Insightful)
Yes, it is tragic, but effective encryption is free (TrueCrypt, e.g.) and a non-profit still does not have any business being incompetent.
Re:It works! (Score:4, Insightful)
It's hard to tell if you're being sarcastic or not.
Government penalizers doing... (Score:5, Insightful)
...what govt penalizers do best: pick on those least capable of defending themselves... in other words go after the low hanging fruit and don't bother with the really hard stuff like rich, for-profit hospitals and clinics that routinely violate HIPAA... because those have armies of high-dollar lawyers who'll make life hard on the govt if they attempt to go after them.
Re:It works! (Score:4, Insightful)
No it doesn't. For starters: such a fine is a good thing, but it should be payable to the victims of the data breach (as in: the people whose sensitive data was dumped on the street). One way or another, they suffer damage from a data breach, they should be compensated.
Secondly, it won't prevent further breaches like they happen so often these days. Maybe if fines are stiff enough, and handed out often enough, over time it will produce an effect. I wouldn't hold my breath though. When it comes to keeping data private, a new idiot is born every day. Sometimes an idiot in charge, but that's not always necessary.
Re:Hospice prices go up (Score:4, Insightful)
Re:It works! (Score:5, Insightful)
Yes, and the next time some Hospice official thinks about not encrypting their data, they're going to remember this event and think better of it.
HIPAA violations are serious. People have likely lost their jobs over this. Even though I'm not in a position to routinely work with patient data, my employer requires that my laptop is encrypted - in the case of my Linux laptop I was able to convince them that using encrypted LVM was sufficient.
-or- they learned another lesson... (Score:3, Insightful)
Re:Government penalizers doing... (Score:4, Insightful)
Nice rant. Too bad you're mostly wrong. HIPAA actually does manage to get data protection pushed far and wide in an industry that fights tooth and nail against any change. It's hardly perfect but it's not terribly onerous and most of the edge cases and implementation problems have been sorted out.
I'm not sure why they chose to beat up on some rural Hospice provider - they've had plenty of chances to hit some big boys and girls, but this will send out a signal that you shouldn't fuck around and avoid doing simple things. It isn't much of an expense to encrypt laptops. It's not hard to put locks on doors, HIPAA has made it easier to transfer data back and forth between providers because everyone is working off the same set of rules.
Maybe you should bash your head with your copy of Atlas Shrugged a few more times until things are clearer.
Re:It works! (Score:4, Insightful)
I'm happy HIPAA is being enforced. We have already had way too many breaches, either tapes left in unsecured locations, or laptops "going missing".
We already have had a decade of businesses giving security the hind teat, since it is viewed as a cost center, and the belief that "calling Geek Squad" after the fact can fix things. Having it made public that if laws/regs are broken, that fines will be levied might get places to zip their flies.
Encryption of laptops is not hard, especially Windows laptops that are the mainstay in business that have TPM chips. With any Windows version newer than Vista, Bitlocker is very easy to enable on an enterprise level. For most things, just forcing BitLocker via GPO on laptops, even if the user is a full admin is more than good enough for security.
For laptops without a TPM, Windows 8 and Windows Server 2012 allow for a password to be set before boot.
Almost all new major operating systems have some form of DAR/WDE encryption ready to go. Linux has LUKS, BSD has gbde, AIX has EFS, Solaris has encrypt(1), OS X has FileVault II. Enabling this may not be trivial, but it is doable.
Of course, almost all new backup programs have encryption, usually create/import a key, set a button to encrypt, and let fly. Netbackup has the Media Server Encryption Option, but even better, if one uses LTO-4 or newer media, NBU can just use the tape drive native AES encryption directly.
There is no excuse for encrypting laptops and media these days. None.
Re:A 'Big' fine? (Score:4, Insightful)
Dude, it's a small nonprofit hospice, it's doubtful they HAVE an IT guy, more likely a consultant they bring in to fix something every few years. I know because I worked consulting in a practice focused largely on smb medical and only our largest and/or most profitable customers ever engaged us for anything more than break/fix. I got out just as HIPPA enforcement was coming online and almost none of our clients was prepared despite the fact that we had sent along information for several years pointing them to organizations that could help them write their policies (we got nothing directly out of this, though given the state of many of their IT systems they would have needed services to become compliant with legal minimum practices).