Wednesday, June 2, 2021

Oklahoma Dental Practice Notifies Over 6000 Patients of Data Theft

 As regular readers know, I have a big focus on data security.  It's a huge responsibility for a small business like most private practices and most offices are woefully under prepared to deal with any type of data breach.

That's one of the reasons I frequently report about breaches and try to discuss what can be learned from them.  My hope is that by learning from the mistakes, other offices could hold off potential disaster.

The latest story I've come across is from a private practice in Oklahoma City, OK.  In this incident, the report is that a hard drive was stolen with practice data on it.  The drive that was stolen is password protected on more than one level and does not have the necessary dental practice management software on the drive that would allow the thief to easily access the data on it.

My take on this is that the theft was most likely a backup drive.  Probably a portable USB hard drive that was used by the office for offsite backups.  From an academic standpoint, I think the practice had probably done everything they could to protect the data on the drive.  I'm figuring the multiple password levels are most likely a master password for the drive and then a second username and password to actually gain access to the dental program that the office was using.  The big bonus is the software to run the database is not on the drive.  However, a determined cyber thief could most likely access the database file, but it would take some work.

The real problem here, is not the security.  I think they probably did pretty good job with that.  No, the real problem is the fact that even with at least 2 levels of passwords and maybe even encryption, the problem is the data was lost in the first place.  Even though the info on the drive has yet to have been found to cause any problems for patients, the office must still treat this situation as a HIPAA violation with all that requires. 

My understanding of the law is that losing data is losing data... whether it is encrypted or not, password protected or not.  So, even though the lost data may *never* cause a single problem, it must be treated the same was as if a totally open backup drive was stolen.  A friend of mine who deals with these types of situations told me that this type of event can cost several thousand dollars to deal with, even if no adverse event ever occurs with the data.  Basically this practice did everything right except to lose the drive and at that point they became as responsible as someone who left an open backup drive on the counter of the local fast food franchise.

The moral to this story is "Never ever let your offsite backups out of your sight".  Most of these types of events occur when someone stops to just "run a quick errand" on their way home.  Thinking they'll just dash into the grocery store, grab a gallon of milk, and be back in 5 minutes.  If during those 5 minutes the drive disappears, you are in the soup.  If you have to leave for "just a minute", simply take the drive with you.  Stick in your pocket, your backpack, or your purse.  If you leave it unattended and it is stolen, you are just as guilty as any other data breach victim.  Never let go of you data!

No comments:

Post a Comment