A US cancer centre is being sued by a former patient after it was accused of allowing a laptop to be stolen containing their, and other patients' information.
According to courthousenews.com, a case has been brought accusing Barnes-Jewish Hospital and The Siteman Cancer Center of not notifying patients of the data theft for eight weeks. Plaintiff Rita Barricks said that the laptop was stolen in December 2010 and the information on the laptop was confidential, yet was unencrypted.
The information was said to have included patients' names, addresses, phone numbers, birth dates, social security numbers, medical records, diagnoses, lab results, email addresses, insurance information and employment information.
Barricks claims the defendants immediately knew about the theft, but waited until January 28th to inform patients and said that during that time, Barricks said her identity was stolen.
The complaint said: “The identity theft involved unauthorised attempts to access plaintiff's online banking account, application of unauthorised charges to plaintiff's bank account and unauthorised access to plaintiff's email account for the purpose of soliciting money from some or all of plaintiff's email contacts.”
Barricks also claimed the defendants, which include Washington University and its medical school, violated the Health Insurance Portability and Accountability Act by: failing to maintain an adequate security system; failing to encrypt patients' sensitive information; failing to implement policies that allowed access to electronically stored health information only to those granted access; and failing to prevent removal of electronically protected health information from its facility.
Chris McIntosh, CEO of ViaSat UK, said: “This story shows that there is still a woeful degree of complacency towards data protection. The first question that needs to be addressed is why wasn't the information encrypted? The cost of encryption amounts to a few hundred dollars per machine at most, an insignificant price when weighed against the risks of data being stolen.
“The next question is why it took so long for the theft to be reported in the first place. After all, the sooner that a data breach is reported the sooner that efforts can be made to retrieve the data and inform those affected.
“One effect of this case is that it may set a precedent for an individual taking an organisation to a civil court over losing their data. If these plaintiffs thought that the matter was being dealt with by the authorities, things might never have come so far.
“This presents a stark lesson for the Information Commissioner's Office (ICO) and other authorities here in the UK: if the public feel that they aren't doing their job, there is every chance that such cases could be raised here. As a result, the ICO will need to be seen to be taking hard, direct action against data breaches to prevent the individuals involved from seeking other means of redress.”
Stephen Midgley, vice president of global marketing at Absolute Software, said that this situation highlights a problem with an organisation not having a layered approach to security. “If a device goes missing and it doesn't have encryption, then the organisation is completely exposed as they have no means to be able to reach out and touch the device in question,” he said.
“If they had a security tracking solution in place, they could pinpoint the location and then take a number of mitigating actions: lock the device, send an end user message, retrieve files or have the device physically recovered. Even with the encryption there are still inherent risks for any organisation. Without security tracking software, they have no way of knowing where the device is, who has it, or sometimes what is even on the device. Often they cannot even validate if encryption was set up properly.”