Lahey Clinic breach: how seriously are some entities taking privacy and security?
Speaking of the risk of mobile devices…
Lahey Clinic reports that on July 1, a physician lost a Blackberry (or it was stolen) at an airport in France. On it were patients’ names, dates of birth, Lahey medical record numbers, diagnosis, and procedure names/test results.
The clinic did a remote wipe of all of the data on July 6, but for five days, those data could have been accessed by anyone because not only was the Blackberry not encrypted, but it was not even password protected.
In its August 24th letter to those affected, the clinic states, “We have taken corrective action steps to prevent a situation like this from happening again by encrypting all Blackberries and adding password protection to all devices.”
To which I respond: Why the heck wasn’t this done years ago? Seriously, given the constant reminders about data security and the frequent media stories about the number of lost devices, why didn’t the clinic address this already? Should entities even be allowed to tell patients that they “take the privacy and security of your data very seriously” when there was no encryption and not even a password? And why were the data traveling to France? Were the data really needed there or was this all a needless risk? Their letter doesn’t address whether they think it was appropriate for the physician to take the patient data out of the country.