On April 1st a hard drive was stolen from the mammography suite of The Medical Center at Bowling Green. The missing drive contained information on 5,418 patients who had undergone bone density testing between 1997 and 2009–including names, addresses, birth dates, physician names, medical records, and possibly Social Security numbers.

Of course the data was not encrypted or protected on the drive itself, placing it at risk of exposure to anyone who happens to examine the contents of the drive. The medical center managed the investigation internally for 17 days before notifying authorities and turning the case over as a criminal incident. At that point, it also began to notify the affected patients.

Looking at the positive side of the incident “Since the theft occurred, hospital officials have taken steps to strengthen the security of patient information and that includes linking to a secure network eliminating the need for computer hard drives, such as the one that was stolen.”

Yet again, a case of reacting after the fact. Installing a sprinkler system AFTER the building burns down offers little consolation for the lost building–yet so many companies and IT administrators seem to be willing to gamble with the personal information they are entrusted with–and frequently lose.

A small investment in proactively encrypting data to prevent unauthorized access would have protected the data and saved the Medical Center from the bad publicity and damaged reputation. “Fixing” the problem after the fact is almost always a more costly proposition than doing right in the first place.

Tags: Bowling Green, compromise, data breach, data protection, Kentucky, Medical Center, patient data

This entry was posted on Friday, April 30th, 2010 at 10:02 am and is filed under Security Breaches & Data Loss Incidents. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.