I was amazed when I read about one of the latest data breaches in the Birmingham News. I was not amazed that there was another data breach at a hospital – in a recent post Data Loss is the Other Guy’s Problem we talked about how hospitals are one of the places most prone to data breaches. I was not amazed that this event took place in the United Kingdom because we have given Kudos to the United Kingdom and their Financial Services Authority (FSA) in prior posts.
What did amaze me was that the media got it right! The Birmingham News clearly identified the real issue not once but twice in this article:
1 – “None of the information on the missing laptops had been encrypted.”
2 – “A Trulife spokeswoman said although the laptops were password protected they had not been encrypted, and only contained “basic information” of name, address, date of birth, hospital number and orthotics appliance prescription.”
Let’s backtrack a bit on the details. Laptops containing the private and medical details of more than 7,000 Birmingham NHS patients, including sick children, have been stolen prompting a massive security alert. The first laptop went missing at the premises of a Birmingham hospital in March 2006, a second was stolen in a mugging in March 2007 and the third was stolen after being left in a Trulife employee’s car in February last year.
My guess is that you, like patient Yvonne Dass, are wondering why the reporting is taking place in 2009 for data stolen over the last three years.
“The letter says Trulife is truly sorry but that does not explain why it has taken so long to let people know that such personal information is in the hands of a stranger, who could use it for the wrong reasons,” said Yvonne.
Well the answer, albeit not a convincing one, is that is was only recently that Trulife discovered that the laptop held data about Sandwell and West Birmingham Hospitals NHS Trust patients. Alan Taman, of Birmingham Children’s Hospital, said: “Trulife informed us at the end of May about the potential loss of data related to our patients and we immediately instigated an internal investigation to ascertain the nature of the data loss and the risks that our patients were exposed to.”
So once again we mourn that innocent bystanders, these hospital patients, are having to deal with the hassles of potential identity theft. However, the fact that the mainstream media is starting to understand and report on the benefits of encryption bodes well for the future of both individuals and companies doing more to protect their computers.
In the physical world transient populations make crime easy because a criminal won’t stand out in the crowd. Universities are nothing if not transient in nature. Likewise, facilities open at all hours make crime easy. From dorms, to study halls to libraries – student life is a 24 by 7 event making it hard to control access.
Obviously, the University did not feature a high-level of physical security. However, even if your physical security is not up to speed, you can still protect the contents of your computers with the best digital security available: 
This story highlights what disk encryption is all about. We hate to make light of somebody’s misfortune but this example is humorous, sad and educational all at the same time. We so often hear about the risks of personal data that is on a stolen laptop being used and this tale shows how it actually can be used. We even thought about whether we should include her name – but it is already as public as public can be!
