Massive theft of medical data in LA sparks new security moves

la-me-ln-county-data-encryption-20140527-001In Los Angeles, the theft of computers from a county contractor's office that contained personal data for over 342,000 patients has led to a call for tighter security.

The Los Angeles County supervisors are proposing tighter protocols for patient medical data, reports the LA Times:

The county already requires that workers' laptops be encrypted. The supervisors voted Tuesday to extend that policy to also encrypt all county departments’ computer workstation hard drives. They also asked that county staff members develop a plan to require "all County-contracted agencies that exchange personally identifiable information and protected health information data with the County" to encrypt sensitive information on their computers as a condition of their contracts
A class-action lawsuit was filed earlier this month.

Notable Replies

  1. Or just plain old theft of easily removable computers.

  2. Ding ding! The data loss is an unintended side effect. It also begs the question of why any of this stuff was local, as opposed to on servers - it's a bad way to handle records in any case.

  3. Sadly from my many years of corporate IT support, this is usually how most places learn how to not do things.
    I know that at least where I work everything local laptop and desktop is encrypted, also anyone with PII access gets their workstation audited regularly for data and since I admin boxes with PII data (though best I can tell I don't have access to the actual data/databases unless it is in standard office/text files) I have a background check every 2 years now thanks to the company getting into similar trouble in the past.

  4. Bart says:

    Working in the electronic medical data industry, I can tell you that this isn't a huge surprise. We at my company encrypt 100% of all drives on all computers, and have a severe policy about storing PHI on any machine that isn't a controlled server (in a locked server room at a client location).

    Unfortunately, there are lots of companies that are simply too lazy to encrypt hard drives before handing out new computers. With modern OSes its easy enough to do, but its a simple case of laziness on the contractor's behalf.

    If there's any upside to this, the thieves are most likely just looking for cheap PCs to flip and have little to no incentive to go digging through files on the machines.

Continue the discussion

3 more replies