Here’s an interesting breach notification case from 2011.
The UCLA Health System is notifying thousands of patients by mail that on Sept. 6, 2011, an external computer hard drive that contained some personal information on 16,288 patients was among a number of items stolen during a home invasion. Although this information was encrypted, the password necessary to unscramble the information was written on a piece of paper near the hard drive and cannot be located. There is no evidence suggesting that the information has been accessed or misused.
And now for the punch-line:
The individual whose hard drive was stolen, left employment at UCLA in July 2011.
It was their own personal hard drive with three years of data. Not sure if it’s worse to know that a current employee/user is so careless with a password to the encrypted data or that a former employee has retained encrypted data and a password to still decrypt it.
Kudos to UCLA for their reporting (a better response now than what we saw from them in 2008, which resulted in AB 211 and SB 541).
I suspect they will be looking at whether large data sets really need to be on personal removable equipment instead of remotely accessed on virtual desktops and how they should rotate/expire encryption keys. My guess is the user was given the encryption capability for the data so their key should have been revoked (rendering the password paper useless) when they left employment.
Not quite the attack I was expecting on an encrypted drive, but its getting there.
I have long believed that encrypted drives will NOT protect sensitive data from getting breached; however, the attack I have been anticipating is that an attacker will simply read off the decrypted data after the legitimate user has logged into the system and authenticated themselves to decrypt all data off the disk automatically.
Not sure if UCLA gets the big picture at all; this may be the 4th or 5th breach they’ve announced since Calfornia’s SB-1386 went into effect 7 years ago,.
Incredibly common and won’t be the last. There are docs who store years of surgery PICTURES like a portfolio for boards…