Just this week, Security Professionals Magazine is reporting a data breach of three thousand unencrypted medical records, names, and social security numbers. For want of choosing “Encrypt this Drive”, Humana and one of it’s associates have put thousands of customers at risk of economic harm.
According to the report an encrypted laptop and an unencrypted USB drive containing the data were stolen from a Humana associate’s vehicle. This is classic laptop theft and why anyone with sensitive information in their care should treat their laptop bag like it is handcuffed to their body. See Unencrypted USB drive stolen, 3,000 Humana members in Atlanta impacted by Adam Greenburg (@writingadam on Twitter).
Worse than that, it did not have to be this way. Even with leaving the computer in location from which it may be stolen, if only the laptop computer with full drive encryption had been stolen then the health insurance company may not have had a data breach under Georgia law.
But, because there was legally protected personally identifiable information (PII) on the USB disk, the PII is considered breached by law, thousands of impacted customers of Humana are put at risk, and the company has to report that there has been a data breach.
In a Facebook post, Chris Horne, the owner of Vocalogic, an Atlanta-based IP telephony and web application development firm, asked “why would my data be running around, on a USB stick, on a vehicle. That’s what I want to know.” Without specific information, I presume that the USB disk was used to copy data to and from the encrypted laptop. If it too had been fully encrypted then the data would not have been considered breached, at least not legally. Such devices must be part of a comprehensive information security management policy.
According to Humana, “at this time, Humana has no reason to believe that the information has been used inappropriately.”
However, with data breaches it is not necessary for the attacker to actually access the records or to use the information inappropriately. It’s merely enough for the unauthorized person, in this case the laptop thief, to have the means to access the protected information. At that time, the information is considered breached and the data breach has already happened!
I am giving a talk on the anatomy of a data breach and what developers can do about it at Tech Talent South on Tuesday, June 3, 2014, in Atlanta. This Humana incident adds to the list of breaches that the students and I will be able to talk about.
In the end, all security problems are really people problems. Hopefully the students will learn from these mistakes and be positioned to help build the more secure systems that society needs and should expect.