Another Data Breach in the News

Computerworld today reported about another in a long line of newsworthy data breaches in an article titled Four lose jobs after data breach at Oregon health care facility. Evidently, the data was stolen in late December 2005, out of the back seat of a car, after a an IT worker at Providence Home Services took backup tapes and disks home in his car as part of the division’s backup protocol. The data included information on over 365,000 patients. Even though the data was stored in a proprietary file format that might be difficult to access, there seems to me to be quite enough blame to go around. First of all, the stated backup policy was for an employee to take company data home. Yes, they have since discontinued this procedure, but how could anyone have ever thought that method made sense? If your boss is asking you to take home company data on backup tapes please politely explain how this is a bad idea - and if the policy isn't changed, go to your auditors, who will definitely see that it is changed.

And even though there have been no verified reports of the data having been accessed or used by the thief, it would be kind of frightening to me if someone were to have my medical records. I just expect that type of data to be private - but I guess (as I've noted before) the expectation of data being private is continually eroding.

And wasn't HIPAA supposed to ensure the privacy of my medical records? Where is the section of the HIPAA legislation that deals with data in the back seat of a car? Hmmmm...

I think we may need a penalty wherein any company that has data stolen from it owes monetary damages to anyone whose records were breached. Perhaps the spectre of a financial penalty could ensure that adequate care is taken to protect customer data by those corporations that we entrust to care for our data. At the very least it might help to do away with the "back seat of the car backup method."