Laptop Security Breach Exposes Confidential Patient Records

By Author: Apple Tan
Total Articles: 68
Comment this article

A laptop containing more than 660 patient names and diagnostic information was stolen last month from Rancho Los Amigos National Rehabilitation Center in Downey, Los Angeles County.
At least 667 patient records were on the stolen laptop, which included patient names, dates of birth, medical record numbers, treating physician, test date, referring physician, and history of present illness, diagnosis, recommendations, and report of electromyography (EMG) testing.
‘However, no financial or social security information was contained in the patient records,’ said county Department of Health Services spokesman Michael Wilson.
The missing machine had been attached to medical equipment, a diagnostic machine that performs electromyography which aids doctors in the diagnosis of neuromuscular disorders, for example multiple sclerosis.
Staff members at the county-run hospital became aware of the stolen laptop Feb. 24, Wilson said, and letters have since been sent alerting patients affected by the theft. The hospital has begun a review of portable electronic devices and is making efforts to prevent future ...
... occurrences.
"It’s unfortunate. We regret the incident. It's an unusual occurrence, but we've taken steps to do the best remediation we can," Wilson said.
The loss of this machine, which was not protected with encryption software, was a HIPAA breach and requires notification to the HHS.  Additionally, because it affects over 500 people, it will be made public on the Department of Health and Human Services website. The county Department of Health Services is making the breach known under federal law.
A major mistake that could prove catastrophic for the hospital and which could have huge legal implications, was that laptop security was non-existent on the machine and it was not encrypted, which could raise serious data compliance issues. The hospital has now begun the implementation of a security program which will firstly review the mobile security of their mobile devices such as laptops, and will implement data security measures such as encryption, and mobile security measures such as anti theft measures.
DHS director, Mitchell Katz, said to press, “As a health care organization we are committed to protecting patient privacy and take great steps to ensure the security of electronic health information. We have a duty to protect patients' medical information, and we have implemented measures to prevent a future occurrence of this type.”
All this while, health care providers are often hesitant to implement security changes due to cost. The Ponemon Institute did a study and interviewed 211 senior-level managers at 65 health care organizations. Of the health care facilities surveyed, 69 percent had insufficient policies and procedures to thwart a data breach and detect the loss of patient data. In addition, 70 percent of hospitals did not find protecting patient data a priority.
Health care organizations are leaving themselves vulnerable to collective losses of $6 billion a year due to data breaches, according to estimates in a benchmark study by the Ponemon Institute privacy and data-management research firm.
The alarming number of breaches shows a real need to take precautionary measures before these incidents occur. Organizations, including health care providers, need to implement robust information security initiatives, including hiring highly trained information security experts in order to avoid security breaches.
Information security professionals can increase their information security knowledge and skills by embarking on highly technical and advanced training programs. EC-Council has launched the Center of Advanced Security Training (CAST) to address the deficiency of technically proficient information security professionals.
CAST will provide advanced technical security training covering topics such as advanced penetration testing training, Digital Mobile Forensics, Cryptography, Advanced Network Defense, and advanced application security training, among others. These highly sought after and lab-intensive Information Security training courses will be offered at all EC-Council-hosted conferences and events, and through specially selected authorized training centres.

About EC-Council:
The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cybersecurity and e-commerce. It is the owner and developer of 20 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and Certified Security Analyst /Licensed Penetration Tester (ECSA/LPT). 
EC-Council’s Center for Advanced Security Training (CAST) was created to address the need for highly technical and advanced security training for information security professionals. CAST programs stand out from others thorough their extreme hands-on approach. CAST offer programs that cover important domains such as advanced penetration testing training, malware analysis, advanced social engineering, cryptography, digital forensics deep dive, and web application security training, among others.
EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. Its certification programs are offered by over 450 training centers across 84 countries. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. Department of Defense via DoD 8570.01-M, the Montgomery GI Bill, National Security Agency (NSA) and the Committee on National Security Systems (CNSS).