A health provider in Oregon is learning the hard way that it is more important to protect the data on the backup media than it is to protect the backup media itself. Measures to protect backup tapes or external drives from theft or natural disaster have little affect on protecting the data when it tapes or drive are lost or stolen.

Dunes Family Health Care has issued a notice to about 16,000 current and former patients to let them know their personal information–including name, date of birth, clinical patient data, and in some cases Social Security numbers–has been compromised.

According to the notice, Dunes Family Health Care relied on a third-party to store and protect the backup media. They knew enough to A) backup their data, B) store it at an offsite location, and C) ensure that the backup media was protected against theft or natural disaster. The statement says, “The hard drive was stored in a locked, fire-protected building with limited access.” But, the drive was apparently stolen anyway, and Dunes Family Health Care forgot the most important step–encrypt the backup data itself so that it is safe even if the backup media is lost or stolen.