Sunday, November 16, 2008

333,000 Unencrypted Records Exposed a Month Ago

In the "wow, that sounds bad" category, the University of Florida announced on November 12 that on October 3, they discovered that 333,000 unencrypted records for patients at the college of dentistry had been potentially accessed by unauthorized individuals. To make matters worse, the breach itself was caused when malware was remotely installed on the University's system. To make matters even worse, the malware was only discovered during a server upgrade (rather than, say, because the University's system detected and prevented installation of the malware). So, to recap, the facts (as set forth in this article from Computer World) are: (1) more than a quarter million records exposed; (2) notification takes more than a month after discovery; (3) records were patient records; (4) that were kept unencrypted; (5) on a system which was vulnerable to remote installation of malware; and (6) no automated security systems detected the remotely installed software.

Now, as it happens, I've presented the facts in such a way as to accentuate the negative, and I've done so to make a point: you aren't as protected as you think. While I don't know all the facts about this breach, simply from the facts I do know, it's not clear that any laws were broken either before or after the breach took place (other than the remote installation of the malware, of course). The HIPAA security standard regarding encryption (45 CFR 164.312(a)(2)(iv)) states that encryption of data is an addressable standard, not a required one. Similarly, Florida's security breach notification act gives a 45 day period for when notice can take place, so the month+ delay in this case could be (and, according to a spokesman, actually is) within Florida's law. Of course, even if there had been flagrant violations of both HIPAA and Florida's notification law, that wouldn't make much difference to the individuals whose information was exposed. Neither HIPAA nor Florida's law provides for a private right of action.

The bottom line? Laws relating to privacy and information security aren't as comprehensive or as effective as consumers may think. If people really want legal protection for their personal information, they should work to get new laws passed, not simply rely on the laws on the books. Otherwise, they could be in for a sad surprise when and if they try to go to court for redress when their own information is exposed.


Bill said...

Little confused by one statement about encryption. You seem to imply that encryption for is not required. Under HIPAA it is required but you have a choice on how to do it (addressable). In this case this seems to be a compromised internal system which HIPAA nor most privacy/security standards don't address. PCI standards are moving closer. This issue with out knowing more detail seems to be vulnerability and access issue under HIPAA.

Dougoogle said...

Hi Bill,

I can clear up your confusion over "required" and "addressable" safeguards in the HIPAA Security Rule.

A covered entity may decide NOT to implement an addressable safeguard (such as encryption) based on their Risk Assessment. This decision must be documented, however.

From Pg 8336 of the HIPAA Security Rule:

"In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: (a) Implement one or more of the addressable implementation specifications; (b) implement one or more alternative security measures; (c) implement a combination of both; or (d) not implement either an addressable implementation specification or an alternative security measure. In all cases, the covered entity must meet the standards, as explained below."

From HHS HIPAA Security Series, "Security 101 for Covered Entities":

"If the covered entity chooses not to implement an addressable specification based on its assessment, it must document the reason and, if reasonable and appropriate, implement an equivalent alternative measure."

John Taylor said...


I have posted my own article with reference to yours. Thank you.


MJ Knudsen said...

Thank you for your detailed response to Bill’s question. In my research of HIPAA I found the lack of specifics set forth by HHS to be frustrating. Correct me if I am wrong, but it seems to me a covered entity can set policies as they see fit as long as justification is provided. I think this lack of clarity and specifics does not protect patients as much as tighter regulations could.

William Morriss said...

Actually, HIPAA does specify things which are required (e.g., unique user identification, emergency access procedures, media disposal policies, etc). It just happens that encryption isn't among them.