While April 1st may be over, thieves are still making fools of companies left and right. The most recent victim is John Muir Health, a US hospital system, which has lost two laptops, compromising the personal health information of 5,450 patients. According to reports, the theft of the laptops occurred in early February, however, the organization is notifying the affected parties now.  The missing laptops weren’t protected by any type of encryption, making their contents relatively easy prey for savvy computer thieves. John Muir Health is rushing to do damage control: upgrading its security to include encryption on all computers and offering free identity theft protection services to patients whose private information may have been compromised.

We’ve seen this scenario over and over again. Companies are rarely prepared for any type of security breach and are thrown into a state of panic when one occurs. Don’t let your business fall into the trap. Learn from John Muir Health’s mistakes and improve data security at your company.

What Could Have Been Different?

Looking back, the folks at John Muir Health are probably wishing they did things a little differently. There are two main lessons for the company here- the first dealing with the importance enforcing proper workplace security practices and the other showcasing the value of encryption technology. Though the organization declined to explain how the laptops containing private medical records went missing, it’s quite likely that employee negligence played a role. Employees are usually the weakest links in a company and pose the biggest threat for a business’ security. Ideally, computers with private customer details or proprietary information would never leave the office or be accessible to outsiders.

Realistically, it’s extremely challenging to enforce such stringent measures; additionally doing so may be impractical, particularly for companies with “work-at-home” employees. It becomes a company’s responsibility to make sure that technology, especially computers which are taken out of the office or left alone in unmonitored areas, are properly protected from intruders. Encryption is the best defense a business can use to ensure that private information remains inaccessible to outsiders. It’s a cost effective technology which can help prevent serious damage in the future.

Had John Muir Health learned these two lessons before the laptops were stolent, the data breach could have been avoided entirely. Even if the employee had made a mistake and allowed the laptops to be taken, the medical information of 5,450 people would remain safe.

Consequences

As with most data breaches, John Muir Health had to face a number of consequences. On top of having to inform the patients affected by the theft and facing damage to it reputation, the company had to incur the expense of identity theft protection. Additionally, new laws could mean serious fines for the company- according the San Francisco Chronicle:

The 2009 federal stimulus package, which went into effect this year, requires medical security breaches affecting more than 500 people to be reported to the U.S. Health and Human Services Department and to the local media. The new law establishes a wide range of fines – from as little as $100 per incident up to $1.5 million in extreme cases.

Businesses need to accept encryption as a key part of their data protection strategy. Do your company a favor and explore the benefits Alertsec Xpress can offer you.

Further Reading
John Muir Laptop Thefts Affect 5,450 [Health Data Management]
Laptops with medical data stolen [San Francisco Chronicle]