Will the government slap another government organization on the wrist for a patient data breach? We might find out soon. The William Jennings Bryan Dorn VA medical center alerted 7405 veteran patients on Friday of a recent breach involving an unprotected laptop with their personal information on the device.
Patient names, birth dates, weight, race, respiratory test results and partial Social Security numbers were all potentially-compromised data on the laptop, which has yet to be found. WISTV.com reports that the laptop’s connected devices have since been protected, though it’s not clear whether that means encrypted or password-protected.
The VA says that no information has been misused and is offering a free year of Equifax Credit Watch services. “Any time a Veteran’s personal information may be compromised, we take the matter very seriously,” said Rebecca Wiley, the Medical Center Director, to WISTV.com. “We are reaching out to each Veteran who may have been impacted.”
The notification letter, which can be read here, says that the VA has formed an incident response team:
An Incident Response Team, including theDorn VA Police and the Office of the Inspector General, immediately began an investigation which is ongoing. To prevent any future occurrence, all laptops contained on medical devices have been physically protected and the Dorn Chief of Staff notified clinical staff to securely store and purge all personally identifiable information from medical devices.
As PHIPrivacy.net notes, why weren’t these protected beforehand? And more to the point, why wasn’t there any mention of encryption or technical safeguards? While physical security is certainly important, the key to this story was that the laptop had personal data that wasn’t encrypted. How the Department of Health and Human Services (HHS) reacts to a government organization losing an unprotected laptop will be of public interest.