Yesterday, we wrote that 2015 was the year that hackers discovered that healthcare security is terrible and swiped more than 100 million patient records. We also said that it was probably going to keep happening because the healthcare industry isn't used to making security a priority.
Just one day later, we have news out of Texas about a data breach affecting 1,300 patients. While that isn't a lot in the grand scheme of things, it's interesting to look at how it happened because it could easily occur again.
The HealthSouth Rehabilitation Hospital of Round Rock, Texas, is admitting that in October an employee left a company laptop in their car, which was stolen. Information on the laptop includes "names, addresses, birth dates, Social Security numbers, insurance IDs, phone numbers, diagnoses, referral IDs and medical record numbers" for each patient.
While the computer was password protected, the information on the drive wasn't encrypted, so it would be fairly easy for a hacker to get. So far there's no evidence the thief has used or sold the information, and probably doesn't even know it's there, but just having it floating out there is worrying.
What makes this story interesting is that HealthSouth has a policy of encrypting its computer's hard drives. However, it had just taken over operating the facility earlier that month, and the laptop was stolen before it could be exchanged for a secure one. Chalk it up to very bad timing.
However, this episode reveals a struggling the healthcare industry is going to have as it works to secure its systems. Not only does it have to secure information going forward, it needs to hunt down places information was stored in the past that aren't secure.
With medical companies merging and acquiring regularly, finding all these spots is a serious undertaking. There are likely dozens or hundreds of hidden security time bombs are going to be going off for years to come.